MALAYSIAN PUBLIC SECTOR MANAGEMENT OF...

MALAYSIAN PUBLIC SECTOR

MANAGEMENT

OF

INFORMATION & COMMUNICATIONS

TECHNOLOGY

SECURITY HANDBOOK

(MyMIS)

Malaysian Administrative Modernisation and Management Planning Unit,Prime Minister’s Department

2001 by Malaysian AdministrativeModernisation and Management

Planning Unit (MAMPU)Level 6, Block B2, Prime Minister’s Department Complex

Federal Government Administrative Centre62502 Putrajaya

(603) 8888 2250

(603) 8888 3286

http://www.mampu.gov.my

[email protected]

2

15 January 2002

MAMPU

Copyright

Telephone:

Telefax:

Website:

e-mail:

Version:

As of:

Author:

No part of this documentation may bereproduced or processed, copied,

distributed by a retrieval systemin any form (print, photocopies,

or any other means) without priorwritten consent of MAMPU.

MAMPU reserves the right to modifyor supplement the documentation at any

time without prior announcement.MAMPU is not liable for misprints

and damage resulting from this.

All rights reserved:

Perpustakaan Negara Malaysia Cataloguing-in-Publication Data

Jawatankuasa Standard Keselamatan IT KerajaanMalaysian public sector management of information &communication technology security handbook / [JawatankuasaStandard Keselamatan IT Kerajaan].ISBN 983-9827-16-21. Computer security-Malaysia-Handbooks, manuals, etc.2. Data protection-Malaysia-Handbooks, manuals, etc.3. Administrative agencies-Data processing-Security measures-

Malaysia-Handbooks, manuals, etc.4. Administrative agencies-Communication systems-Security

measures-Malaysia-Handbooks, manuals, etc.5. Information technology-Security measures-Handbooks,

manuals, etc. I. Title.352.37909595

Acknowledgement

The Government of Malaysia is committed towards modernising its administrative machinery andenhancing its service delivery mechanisms. The process of ensuring an efficient and effective

public sector is being driven by the enabling capabilities of information and communications technology(ICT). The resultant widespread adoption of ICT systems by the public sector has meant that moreand more Government agencies are moving towards the paperless work environment where ICTsystems have become indispensable for the provision of Government services to citizens.

The expansion of ICT systems within the public sector has in turn led to a significant increase inthe number of public sector information repositories and other ICT-based installations and assets.The security of these ICT installations and assets are exposed to the vulnerability of open andnetworked electronic systems. As such agencies now face the additional responsibility of securingICT-based Government information and systems as well as ensuring that they are available to authorisedusers.

The Malaysian Public Sector ICT Management Security Handbook (MyMIS) is intended as a referenceand guide for public sector personnel in managing security in all public sector ICT installations.MyMIS serves to complement the ICT security measures taken earlier by the Government by wayof Pekeliling Am Bil. 3 Tahun 2000 entitled ‘Rangka Dasar Keselamatan Teknologi Maklumat danKomunikasi Kerajaan’ (Government Information and Communications Technology Security PolicyFramework) and Surat Pekeliling Am Bil.1 Tahun 2001 entitled ‘Mekanisme Pelaporan Insiden KeselamatanTeknologi Maklumat dan Komunikasi (ICT)’ (Information and Communications Technology (ICT) SecurityIncident Reporting Mechanism).

While every effort has been made to address all possible ICT security situations in the handbook,there will of course be instances during normal ICT operations where the incidents encountered maynot be sufficiently covered in this handbook. In the event of such cases, the best practice availablefor the relevant situation should be followed.

Needless to say, the MyMIS handbook is the product of close collaboration between MAMPU andvarious other Government agencies. Their contributions have certainly helped sustain the momentumduring periods of waning energy in the course of completing this handbook. MAMPU would thereforelike to place on record its appreciation to the following agencies:

• National Security Division, Prime Minister’s Department (Bahagian Keselamatan Negara, JabatanPerdana Menteri)

• Office of the Chief Government Security Officer, Prime Minister’s Department (Pejabat KetuaPegawai Keselamatan Kerajaan, Jabatan Perdana Menteri)

• Ministry of Energy, Communications and Multimedia (Kementerian Tenaga, Komunikasi danMultimedia)

• Ministry of Defence (Kementerian Pertahanan)

• National Institute of Public Administration (INTAN)

• Universiti Teknologi Malaysia

• Universiti Kebangsaan Malaysia

• Universiti Putra Malaysia

• Universiti Malaya

• Bank Negara Malaysia

• GITN Sdn. Berhad

• MIMOS Berhad

• SIRIM Berhad

i

I wish to also express my appreciation to Y. Bhg. Tan Sri Samsudin Osman, Chief Secretary to theGovernment of Malaysia, for entrusting MAMPU with the task of preparing and publishing this handbook.

Finally, I thank my officers and staff in MAMPU, in particular those in the ICT Security Division whowere actively involved in the entire process of conceptualising, drafting, reviewing and publishing thishandbook.

DATUK DR. MUHAMMAD RAIS BIN ABDUL KARIM

Director-GeneralMalaysian Administrative Modernisation and ManagementPlanning Unit (MAMPU)Prime Minister’s Department, MalaysiaJanuary 2002

ii

The Internet-driven global digital revolution and the explosive growth of computer networks andsystems have resulted in the extensive use of information and communications technology (ICT)

for gathering, maintaining and transmitting information and data. Electronic connectivity in the workplace has meant that the security of ICT systems and the information residing in them can no longerbe provided through conventional means. The increasing incidence of hacking, virus attacks and otherforms of electronic trespass have necessitated the need for securing the new electronic work environment.The public sector is not insulated from the prevailing dangers of the digital world. For that matter,considering the scope of its functions, services and transactions as well as the complexities of itsinter-relationships with all components of society, the public sector has to seriously address all concernsrelating to ICT security.

For the Malaysian public sector, ICT security is critical to the objective of implementing ElectronicGovernment and expanding the use of ICT in the delivery of Government services as well as inenhancing the internal operations of public sector agencies. In this regard, the Government hasalready issued a broad policy guideline on the underlying principles of ICT security, the responsibilityof safeguarding Government information and the need for awareness about threats to the integrityof information and ICT assets. In addition, guidelines on the mechanism for reporting ICT securityincidents were also issued to assist agencies in handling ICT security incidents in the public sector.

This Malaysian Public Sector Management of Information and Communications Technology SecurityHandbook (MyMIS) serves to complement the overall approach towards safeguarding ICT securityin the public sector. It provides a comprehensive set of practical instructions to public sector agenciesin managing and securing information and other ICT assets in their respective organisations. MyMISwill ensure that due attention is given to the entire range of activities related to the operations ofa particular ICT-based facility, infrastructure, system or application. In this way, public sector agenciescan be confident of the integrity, authenticity and availability of their services and outputs. As such,while satisfying the service requirements of customers at the individual level, public sector agenciescan ensure privacy and confidentiality in all ICT-based transactions while safeguarding against anybreach of national security.

I am confident that MyMIS will prove to be an extremely useful source of reference for all publicsector agencies in implementing an effective ICT security management paradigm in their respectiveorganisations. While we understand that there cannot be a guarantee of absolute security withininternetworked electronic work environments, adherence to guidelines as prescribed by MyMIS willgo a long way in mitigating much of the risks that ICT-based systems are exposed to. Public sectoragencies should therefore ensure that the relevant levels of management within their organisationsare informed and understand the contents of the handbook which is meant to serve as the standardguide for all ICT security management decisions and tasks. Finally, I wish to congratulate MAMPUand all others involved in coming out with this handbook.

TAN SRI SAMSUDIN OSMAN

Chief Secretary to the Government, MalaysiaJanuary 2002

Chief Secretary to the Government

iii

Table of Contents

Page

Acknowledgement i

Chief Secretary to the Government iii

Table of Contents v

List of Tables xiii

List of Figures xiv

List of Appendices xv

Chapter 1 INTRODUCTION 1 - 1

1.1 General 1 - 1

1.2 Standards Framework 1 - 2

1.3 Handbook Coverage 1 - 3

1.4 Audience 1 - 4

Chapter 2 MANAGEMENT SAFEGUARDS 2 - 1

2.1 Public Sector ICT Security Policy 2 - 1

2.1.1 Central Level 2 - 2

2.1.2 Ministry/State Level 2 - 2

2.1.3 Departmental Level 2 - 3

2.2 Public Sector ICT Security Programme Management 2 - 3

2.2.1 Central Public Sector ICT Security ProgrammeManagement 2 - 4

2.2.2 Operating Level Public Sector ICT SecurityProgramme Management 2 - 4

2.3 Public Sector ICT Security Risk Management 2 - 5

2.3.1 Formation of Risk Management Committee 2 - 5

2.3.2 Identification of Risks and Threats 2 - 6

2.3.3 Evaluation of Risks and Threats 2 - 6

2.3.4 Identification of Necessary Safeguards 2 - 7

2.3.5 Managing Residual Risks 2 - 8

2.3.6 Implementing Safeguards and MonitoringEffectiveness 2 - 8

2.3.7 Uncertainty Analysis 2 - 8

v

4 Incorporating Public Sector ICT Security into the SystemLife Cycle 2 - 9

2.4.1 Benefits of Integrating Public Sector ICT Securityin the System Life Cycle 2 - 9

2.4.2 The ICT System Life Cycle Phases 2 - 9

2.5 Public Sector ICT Security Assurance 2 - 11

2.5.1 Design and Implementation Assurance 2 - 11

2.5.1.1 Testing and Certification 2 - 11

2.5.1.2 Conformance Testing 2 - 12

2.5.1.3 Use of Reliable Architectures 2 - 12

2.5.1.4 Ease of Safe Use 2 - 12

2.5.1.5 Evaluation and Reviews 2 - 12

2.5.1.6 Assurance Documentation 2 - 13

2.5.1.7 Certification of Product to Operate inSimilar Situation 2 - 13

2.5.1.8 Self-Certification 2 - 13

2.5.1.9 Warranties and Liabilities 2 - 13

2.5.1.10 Distribution Assurance 2 - 14

2.5.2 Operational Assurance 2 - 14

2.5.2.1 Audit Methods and Tools 2 - 14

2.5.2.2 Monitoring Methods and Tools 2 - 16

2.6 Operational Assurance Issues 2 - 18

Chapter 3 BASIC OPERATIONS 3 - 1

3.1 Information Classification 3 - 1

3.2 Roles and Responsibilities 3 - 2

3.2.1 Head of Department 3 - 2

3.2.2 Chief Information Officer 3 - 3

3.2.3 Computer Manager 3 - 3

3.2.4 ICT Security Officer 3 - 4

3.2.5 System Administrators 3 - 5

3.2.6 Help Desk 3 - 5

3.2.7 Users 3 - 5

3.2.8 Vendors, Contractors and External Service Providers 3 - 6

vi

3 Human Factors 3 - 6

3.3.1 Personnel Security 3 - 7

3.3.1.1 Confidentiality Agreement 3 - 7

3.3.1.2 Personnel Screening 3 - 7

3.3.2 Awareness 3 - 7

3.3.3 Problem Employees 3 - 7

3.3.4 Former Employees 3 - 7

3.4 Electronic Facilities 3 - 8

3.4.1 Telecommuting 3 - 8

3.4.2 Voice, Telephone and Related Equipment 3 - 8

3.4.2.1 Access to Voice Mail system 3 - 9

3.4.2.2 Private Branch Exchange 3 - 9

3.4.2.3 Spoken Word 3 - 9

3.4.2.4 Intercept 3 - 10

3.4.2.5 Casual Viewing 3 - 10

3.4.2.6 Output Distribution Schemes 3 - 10

3.4.2.7 Destruction 3 - 10

3.4.2.8 Clock Synchronization 3 - 10

3.4.3 Facsimile 3 - 10

3.4.3.1 Modification 3 - 11

3.4.3.2 Transmission Acknowledgement 3 - 11

3.4.3.3 Misdirection of Messages 3 - 11

3.4.3.4 Disclosure 3 - 11

3.4.3.5 Unsolicited Messages 3 - 11

3.4.3.6 Retention of Documents 3 - 12

3.5 Electronic Mail 3 - 12

3.5.1 Authorised Users 3 - 12

3.5.2 Physical Protection 3 - 12

3.5.3 Logical Protection 3 - 12

3.5.4 Integrity of Content 3 - 13

3.5.5 Disclosure 3 - 13

3.5.6 Message Retention 3 - 13

3.5.7 Message Reception 3 - 13

3.5.8 Protection against Malicious Code 3 - 14

3.5.9 Security Labelling 3 - 14

vii

6 Mass Storage Media 3 - 14

3.6.1 Protection of Information in Storage Media 3 - 14

3.6.2 Environmental Considerations 3 - 14

3.6.3 Disposal of Storage Media 3 - 15

3.6.4 Non-Current Storage Media 3 - 15

3.6.5 Intellectual Property Rights 3 - 15

3.6.6 Vendors, Contractors, External Service Providers,Third Party Access 3 - 15

3.7 Business Resumption 3 - 16

3.7.1 Risk Analysis 3 - 16

3.7.2 Disaster Recovery/Contingency Plan 3 - 16

3.8 Public Sector ICT Security Incident Handling 3 - 18

3.8.1 Causes of Security Incidents 3 - 19

3.8.2 Handling Security Incidents 3 - 19

3.8.3 Developing Security Incidents Handling Capability 3 - 19

3.8.4 Issues to Consider When Setting an Incident HandlingCapability 3 - 21

3.9 Public Sector ICT Security Awareness, Training, AcculturationAnd Education 3 - 21

3.9.1 Benefits of Public Sector ICT Security Awareness,Training, Acculturation and Education 3 - 22

3.9.2 Public Sector ICT Security Awareness 3 - 23

3.9.2.1 Techniques 3 - 24

3.9.3 Public Sector ICT Security Training & Acculturation 3 - 25

3.9.3.1 General Users 3 - 25

3.9.3.2 Specialised or Advanced Skills Users 3 - 26

3.9.4 Public Sector ICT Security education 3 - 26

3.9.5 Implementation 3 - 26

3.9.5.1 Understand the Core Business of theOrganisation 3 - 26

3.9.5.2 Identify Gaps in Public Sector ICT SecurityKnowledge 3 - 27

3.9.5.3 Align Skill Gaps to Support the Organisation’sCore Business 3 - 27

3.9.5.4 Identify Suitable Staffs 3 - 27

3.9.5.5 Allocate Financial Resources andIdentify Training Location 3 - 27

3.9.5.6 Execute, Maintain and EvaluateProgramme Effectiveness 3 - 28

viii

10 Physical and Environmental ICT Security 3 - 29

3.10.1 Physical Security Perimeter 3 - 29

3.10.2 Physical Entry Controls 3 - 29

3.10.3 Secure Area 3 - 30

3.10.4 Working in a Secure Area 3 - 30

3.10.5 Site Protection for Data Centre and Computer Room 3 - 31

3.10.6 Equipment Protection 3 - 31

3.10.6.1 Hardware Protection 3 - 31

3.10.6.2 Storage Media Protection 3 - 31

3.10.6.3 Documentation Protection 3 - 32

3.10.6.4 Cabling Protection 3 - 32

3.10.7 Environmental Security 3 - 32

3.10.7.1 Environmental Control 3 - 32

3.10.7.2 Power Supply 3 - 33

3.10.7.3 Emergency Procedures 3 - 33

3.11 Cryptography 3 - 33

3.11.1 Symmetric (or Secret) Key Systems 3 - 34

3.11.2 Asymmetric (or Public) Key Systems 3 - 34

3.11.3 Key Management Issues 3 - 35

3.11.4 Disaster Cryptography and Cryptographic Disasters 3 - 35

3.11.4.1 Disaster Cryptography 3 - 35

3.11.4.2 Cryptographic Disasters 3 - 36

3.11.4.3 What to do in the event of a Cryptographic 3 - 36Disaster

3.12 Public Key Infrastructure (PKI) 3 - 37

3.13 Trusted Third Parties (TTP) 3 - 38

3.13.1 Assurance 3 - 38

3.13.2 Services of a TTP 3 - 39

3.13.3 Legal Issues 3 - 39

Chapter 4 TECHNICAL OPERATIONS 4 - 1

4.1 Computer Systems 4 - 1

4.1.1 Change Control 4 - 1

4.1.2 Equipment Maintenance 4 - 2

4.1.3 Disposal of Equipment 4 - 2

ix

2 Operating Systems 4 - 2

4.2.1 Proprietary Issues 4 - 3

4.2.2 Shareware and Freeware Operating System Issues 4 - 3

4.2.3 Logical Access Control 4 - 3

4.2.3.1 Identification of Users 4 - 3

4.2.3.2 Authentication of Users 4 - 4

4.2.3.3 Limiting log-on Attempts 4 - 5

4.2.3.4 Unattended Terminals 4 - 6

4.2.3.5 Warning Messages 4 - 6

4.2.4 Audit Trails 4 - 6

4.2.5 Back-up 4 - 7

4.2.6 Maintenance 4 - 7

4.2.6.1 Patches and Vulnerabilities 4 - 7

4.2.6.2 Upgrades 4 - 7

4.3 Application System 4 - 8

4.3.1 Application Software 4 - 8

4.3.2 Databases 4 - 8

4.3.3 Systems which Employ Artificial Intelligence 4 - 9

4.3.4 Application Testing 4 - 9

4.3.5 Defective and Malicious Software 4 - 9

4.3.6 Change of Versions 4 - 10

4.3.7 Availability of Source Code 4 - 10

4.3.8 Unlicensed Software 4 - 10

4.3.9 Intellectual Property Rights 4 - 11

4.3.10 Malicious Code 4 - 11

4.3.11 Unauthorised Memory Resident Programs 4 - 11

4.3.12 Software Provided to External Parties 4 - 12

4.3.13 Software from External Sources 4 - 12

4.4 Network System 4 - 13

4.4.1 Securing a Network 4 - 13

4.4.1.1 Design of a Secure Network 4 - 13

4.4.1.2 Network Security Controls 4 - 14

4.4.2 Security of Network Equipment 4 - 15

4.4.2.1 Installation Security 4 - 15

4.4.2.2 Physical Security 4 - 15

4.4.2.3 Physical Access 4 - 16

x

4.2.4 Logical Access 4 - 16

4.4.2.5 Unauthorised Use of Equipment 4 - 17

4.4.2.6 Equipment Configuration 4 - 17

4.4.2.7 Equipment Maintenance 4 - 17

4.4.2.8 Disposal of Equipment 4 - 18

4.4.3 Securing Different Modes of Communications 4 - 18

4.4.3.1 Wired Network 4 - 18

4.4.3.2 Wireless Communication 4 - 19

4.4.3.3 Microwave Communication 4 - 20

4.4.3.4 Satellite 4 - 20

4.4.4 User Accessibility 4 - 20

4.4.4.1 Local Area Network 4 - 21

4.4.4.2 Remote Access 4 - 21

4.4.4.3 Dial-up Access 4 - 22

4.4.4.4 Virtual Private Networks 4 - 23

4.4.5 Connection with other Networks 4 - 24

4.4.5.1 Integrity of Connections 4 - 24

4.4.5.2 Firewalls 4 - 24

4.4.5.3 Public Users 4 - 27

4.4.5.4 Distributed Network Access 4 - 27

4.4.6 Protection during Transmission 4 - 28

4.4.6.1 Uploading & Downloading within Intranet 4 - 28

4.4.6.2 Uploading & Downloading to/from the Internet 4 - 28

4.4.7 Network Monitoring 4 - 29

4.4.7.1 Problems to be Monitored 4 - 29

4.4.7.2 How to Overcome Insider Attacks and Hackers 4 - 32

4.4.7.3 Monitoring Tools 4 - 33

4.5 Security Posture Assessment of ICT 4 - 34

Chapter 5 LEGAL MATTERS 5 - 1

5.1 Cyber Laws and Legal Implications 5 - 2

5.1.1 Digital Signature Act 1997 5 - 2

5.1.2 Computer Crime Act 1997 5 - 2

5.1.3 Telemedicine Act 1997 5 - 4

5.1.4 Copyright (Amendment) Act 1997 5 - 4

5.1.5 Communications and Multimedia Act 1998 5 - 5

5.1.6 Malaysian Communications & MultimediaCommission Act 1998 5 - 6

xi

2 Crime Investigation 5 - 6

5.2.1 Definition of Computer Crime 5 - 6

5.2.1.1 Examples of Computer Essentials 5 - 6

5.2.1.2 Examples of Computer Non-Essentials 5 - 7

5.2.2 Evidence 5 - 7

5.2.2.1 Types of Evidence 5 - 7

5.2.3 Conducting Computer Crime Investigation 5 - 7

5.2.3.1 Detection and Containment 5 - 8

5.2.3.2 Report to Management 5 - 8

5.2.3.3 The Preliminary Investigation 5 - 8

5.2.3.4 Determine if Disclosure is Required 5 - 9

5.2.3.5 Investigation Considerations 5 - 9

5.2.3.6 Who should Conduct the Investigation 5 - 9

xii

List of Tables

Page

1. Table 3.1: Conventional vs. Digital Information Handling 3 - 1

2. Table 3.2: Public Sector ICT Security Awareness, Training and EducationProgramme 3 - 23

3. Table 5.1: Malaysian Cyber Laws 5 - 1

4. Table 5.2: List of Offences, Punishment and Enforcement 5 - 3

5. Table 5.3: List of Offences, Punishment and Enforcement 5 - 5

xiii

List of Figures

Page

1. Figure 1.1: Various Levels of Details of Standards and Documents 1 - 3

2. Figure 1.2: Malaysian Public Sector Management of ICT Security Handbook(MyMIS) Roadmap 1 - 5

3. Figure 2.1: ICT Security in the System Life Cycle Phases 2 - 10

4. Figure 3.1: Handling Protection 3 - 1

5. Figure 3.2: Risk Analysis Model 3 - 17

6. Figure 4.1: Generic Network Security Architecture 4 - 14

xiv

List of Appendices

Page

1. Appendix A : Rangka Dasar Keselamatan Teknologi Maklumat Appendix A - 1dan Komunikasi Kerajaan

2. Appendix B : Examples of Common Threats Appendix B - 1

3. Appendix C : Examples of Common Abuses, Methods and Appendix C - 1Detection

4. Appendix D : Example of Contents List for an Agency/ Appendix D - 1Department ICT Security Policy

5. Appendix E : A Sample ICT Security Risk Management Process Appendix E - 1

6. Appendix F : A Sample ICT Security Adherence Compliance Appendix F - 1Plan

7. Appendix G : A Sample ICT Strategic Plan Appendix G - 1

8. Appendix H : Mekanisme Pelaporan Insiden Keselamatan Appendix H - 1Teknologi Maklumat dan Komunikasi (ICT)

9. Appendix I : A Sample Help Desk Reporting Form Appendix I - 1

10. Appendix J : A Sample Employee Awareness Form Appendix J - 1

11. Appendix K : A Sample Employee Security Checklist Appendix K - 1

12. Appendix L : Disaster Recovery and Contingency Planning Appendix L - 1Checklist for ICT Systems

References

Glossary

xv

MyMIS

Copyright MAMPU Chapter 1 - 1

1.1 General

“Public Sector ICT Security can be defined as the process of ensuring businesscontinuity and services provision free from unacceptable risk. It also seekto minimize disruptions or damage by preventing and minimizing securityincidents” – Public Sector ICT Security Policy (Appendix A).

The security of information within the Government of Malaysia’s Informationand Communications Technology (ICT) system is a subject of major concern.Threats such as impersonation, malicious code, misuse of data, easily availablepenetration tools, powerful analytical techniques contribute in whole or inpart to the necessity of providing adequate protection to public sector ICTassets. These threats if left unchecked, will result in painful explaination atthe very minimum or untold damage to the country. Apart from incurringfinancial losses, both in terms of resources and unavailable services, thesethreats severely jeopardises the confidentiality, integrity and availability ofofficial government information and in the end may be of detriment to thecountry. The hardest thing to comprehend is that an attack can be easilymounted by anyone from anywhere courtesy of the information superhighwayand the misused concept of global instantaneous information sharing. Someexamples of common threats are listed in Appendix B.

Over the years, government agencies have been religiously collecting vastamount of information. It is in the early 70’s that these information havebeen deposited into digital format and since then, these repositories haveunknowingly become exposed because of the invaluable information theykeep and now in a format easily manipulated without stringent audit trail.The government realises this and that the government is also aware thatthere is an urgent need to secure the vast information resource througheffective management of the security of ICT systems. In this regard, effortsare being made to ensure Public Sector ICT Security management achieveand maintain a high level of confidentiality, integrity and availability.

A comprehensive approach is required in planning, developing, operatingand maintaining the government’s ICT security processes. The ICT securitymeasures need to be incorporated early, in the requirement specificationand design of the ICT system, before the implementation stage to ensurea cost-effective and comprehensive system. The main steps include:

(a) assessing the current security strengths and vulnerabilities;

(b) developing ICT security policies, standards and processes;

(c) designing and developing a customised security architecture; and

(d) evaluating and selecting the best security system for the organisation.

Chapter 1 INTRODUCTION

Definition

Need for effective PublicSector ICT Securitymanagement

A comprehensiveapproach to ICT Securityprocesses is required

Security of informationwithin the government’sICT system is a majorconcern

MyMIS


The ICT security process must cover all aspects of operation, includingmechanisms used by hardware and software systems, networks, databasesand other related systems and facilities. The goal is to achieve a secureworking environment for employees and other persons working at or visitingthe government’s facilities as well as to help establish processes to ensurethe protection of information.

The ICT security process should mirror the management’s direction inrelation to:

(a) overall organisational policy;

(b) organisational roles and responsibilities;

(c) personnel;

(d) government’s asset classification and control;

(e) physical security;

(f) system access controls;

(g) network and computer management;

(h) application development and maintenance;

(i) business continuity;

(j) compliance to standards as well as legal and statutory requirements;

(k) classification and protection of information media;

(l) employee awareness programmes; and

(m) incident reporting and response.

1.2 Standards Framework

This handbook provides essential guidelines to government employees onthe ICT security process in the public sector. It is based mainly on twostandards i.e. the MS ISO/IEC 13335 (Part 1 - 3) and the BS 7799 (Part1 and 2). It also makes references to the Canadian Handbook on InformationTechnology Security, German IT Baseline Protection Manual and other relatedISO standards.

Various levels of details of standards can be viewed in the model depictedin Figure 1.1. In comparison to other standards and documents of ICT securitymanagement particularly to their level of detail, this handbook can be positionedalong with the BS 7799, the Canadian MG-9 and the American NationalInstitute of Science and Technology (NIST). This is warranted by the factthat this handbook is jurisdictional and specific to the Malaysian public sector.

In the model, the areas and level of details of these standards varies betweeneach standard. Level 1, 2, 3 and 4 represent the Guidelines for the Managementof IT Security (GMITS) or ISO/IEC 13335. It indicates the depth of knowledgerequired to understand the respective level. As an example, a Level 1 documentneeds no prior knowledge on ICT security management while a Level 2document needs at least some understanding of the previous level.

The model progresses from Level 1 ‘Concepts and Models’ to Level 2 ‘Managingand Planning IT’, Level 3 ‘Techniques for the Management of IT’ beforedetailing ‘Selection of Safeguards, Management Guidance on Network andGuidelines for the Management of Trusted Third Parties’ in Level 4.

ICT security processesshould mirrormanagement’s direction

This handbook providesguidelines on ICTsecurity based oninternational standards

Description of model(Figure 1.1)

Level 1 to level 4 of themodel

The ICT security processmust cover variousaspects in achieving asecure enviroment

MyMIS


Levels of details

▼

World/Global

Nation/Organization

Site/Domain

Level 5 represents the three standards referred, i.e. BS 7799, the CanadianHandbook of Information Technology and the NIST. Documents under thisgroup are categorised as jurisdictional and culture-specific. The MyMIShandbook is represented at this level.

The standards within Level 6 are domain and application specific. Examplesof such standards are the German IT Baseline Protection document, theIETF RFC 2196 Site Security Handbook, the ISO/TR 13569 on Banking andRelated Financial Services, the CEN ENV 12924 on Medical Informatics:Security Categorisation and Protection Healthcare Systems and the ISO/IEC15947 on IT Intrusion Detection Framework.

1.3 Handbook Coverage

This handbook provides the necessary guidelines on ICT security managementsafeguards to enable implementation of minimal security measures. It discusseselements of management safeguard, common operational and technical issues,and legal implications. The appendices at the end of the handbook may beof use to users with templates on security policies, adherence complianceplan, strategic plan, incident reporting mechanism, checklists and procedures.Its capacity is advisory and where the information contained is superceded(changes in technology, processes, legal requirements, public expectation)the reader is advised to refer to current adopted best practices.

Level 5 of the model

Level 6 of the model

This handbook describessafeguards, operationaland technical issues andlegal implications

Level 1ISO/IEC 13335-1

GMITS:Concepts and Models


GMITS: Managing and Planning IT


GMITS: Techniques for the Management of IT

Level 4• ISO/IEC 13335-4 GMITS: Selection of Safeguards• ISO/IEC 13335-5 GMITS: Management Guidance on Network• ISO/IEC 14516: Guidelines for the Management of Trusted Third Parties

Level 5Jurisdiction and culture-specific documents (National IT Security guidance documents)• BS 7799• Canadian Handbook on Information Technology (MG-9)• The NIST Handbook• MyMIS

Level 6Domain and application specific documents, Industry guides

• German IT Baseline Protection Manual• IETF RFC 2196 Site Security Handbook• ISO/TR 13569 Banking and Related Financial Services-Information Security Guidelines• CEN/ENV 12924 Medical Informations & Security Categorisation and Protection for

Healthcare systems• ISO/IEC 15947 IT Intrusion Detection Framework

Figure 1.1: Various Levels of Details of Standards and Documents

MyMIS


The ICT security management safeguard identify five (5) major elementsthat should be considered by all public sector ministries, departments andagencies to protect their ICT systems. These elements are the ICT securitypolicy, ICT security management programme, ICT security risk management,planning and incorporation of ICT security into the ICT systems life cycleand establishing ICT security assurance.

The handbook further explains some fundamental operational componentsof ICT security that is best recognised by public sector employees.

Technical security involves the use of safeguards incorporated into computerand communications hardware and software, operations systems or applicationssoftware and other related devices. This chapter explains the technical levelof ICT security in greater detail.

The last chapter of this handbook briefly explains legal matters with respectto Malaysian law. It highlights Malaysian cyber laws and the various aspectsof criminal investigations.

The appendices of this handbook provide some samples of framework, plan,checklist and forms useful in the ICT security management process.

1.4 Audience

The main objective of this handbook is to provide guidance to employeeswithin government agencies on the essential components of ICT security.It is intended to be the primary reference book used by all governmentemployees in safeguarding the government’s ICT assets.

Various categories of government employees will benefit from the handbookas it covers a wide range of topics. Nevertheless this handbook is alsouseful to anyone wishing to learn about the application of ICT security.

The handbook is presented in five (5) chapters that can be divided into three(3) different levels; Essential, Intermediate and Advanced (Figure 1.2). TheEssential level, which comprises of Chapter 1, Chapter 2 and Chapter 5,provides fundamental knowledge on ICT security and is suitable for chiefexecutives and managers in the public sector.

The Intermediate i.e. Chapter 3 is intended for general ICT users of thepublic sector. The description and explanation will provide guidance to userson the basic operational security safeguard to be implemented and maintainedby them.

The Advanced stage i.e. Chapter 4 is proposed for the more experiencedICT administrators and managers. The descriptions on technical details ofICT security should provide guidance and direction on steps that need tobe taken to ensure the confidentiality, integrity and availability of public sectorICT systems.

Technical details of ICTsecurity

Legal implications

Main objective is toprovide guidance to allgovernment employees

The handbook is for ALLgovernment employees

Organisation of thecontent of the handbook

ICT security managementsafeguards

MyMIS


Chapter 1Introduction

Chapter 2ManagementSafeguards

Chapter 3BasicOperation

Chapter 4TechnicalOperation

Chapter 5LegalMatters

ESSENTIAL INTERMEDIATE ADVANCED

Figure 1.2: Malaysian Public Sector Management of ICT Security Handbook(MyMIS) Roadmap

MyMIS


The main objective of this chapter is to highlight the major elements thatshould be considered by all government ministries, federal departments,statutory bodies, state secretaries and local authorities in their efforts tosafeguard their respective ICT systems. Of utmost importance is seniormanagement commitment towards acknowledging and addressing securityissues.

The five (5) major elements of management safeguards are:

(a) Public Sector ICT Security Policy;

(b) Public Sector ICT Security Programme Management;

(c) Public Sector ICT Security Risk Management;

(d) Incorporating Public Sector ICT Security into ICT System’s Life Cycle;and

(e) Public Sector ICT Security Assurance.

2.1 Public Sector ICT Security Policy

The government acknowledges its obligation to ensure appropriate securityfor all ICT assets under its ownership. This is best implemented by havinga written ICT Security Policy that serve to assist in identifying at the veryoutset what needs to be protected. The document will also inform departmentmembers what activities are allowed or what activities are disallowed. Thepolicy should define common rules to be abided by everyone withinthe organisation. The policy so formulated should address the need for atotal enforcement of controls and measures to safeguard government ICTassets.

The tremendous increase in ICT dependency and usage especially with theadvent of the Internet, exposes government information to a much largeraudience and with that a potential threat that government information beingcompromised. This is especially worrying on classified government informationand if left unchecked, can cause serious integrity issues to the government.At the same time, there need to be a balance between rigid informationcontrol that limits service delivery on one hand against a loose informationcontrol that would compromise security or severely affect the interest of thepublic service or the nation.

It is in realising the absolute importance of the provision of ICT security, theICT Security Policy be drafted based on concrete ICT principles, best practices,responsibilities towards securing information, threats and incremental stepstowards upgrading information security.

Chapter 2 MANAGEMENT SAFEGUARDS

Senior managementcommitment

5 major elements

ICT Security Policy mustensure the government’sinformation is secured

Policy needs to bebalanced between rigidand loose informationcontrol

MyMIS


Essentially the ICT Security Policy document should state:

(a) the ICT Security Policy statement;

(b) the rationale behind ICT security in protection against unauthorisedaccess, ensuring availability and minimising security breaches;

(c) the ICT security definition inclusive of coverage of assets to beprotected;

(d) the objectives of ensuring government operations continuity and tominimise disruptions by minimising impact of security incidents;

(e) the security principles adopted;

(f) the establishment of a clear management framework defining generaland specific responsibilities for ICT security management, includingreporting security incidents;

(g) the need for ICT security awareness training for all staff and specificsecurity training for those with greater responsibilities; and

(h) the understanding of the requirement for shared responsibility inprotecting government information.

There are three (3) different levels of Public Sector ICT Security Policyformulation. The higher level is the Central Level that provides the generalpolicy direction. The next level is the Ministry/State Level that addressesspecific issues and the Departmental Level handle operational issues.

2.1.1 Central Level

This is the top most management level that initiates ICT Security within thepublic service. This role has been entrusted to Malaysian AdministrativeModernisation and Management Planning Unit (MAMPU), Prime Minister’sDepartment. MAMPU initiates and maintains the Public Sector ICT SecurityPolicy Framework and is the referral centre on Public Sector ICT Securityissues.

The high level policy issued as a General Circular 3/2000 dated 1 October2000 (Pekeliling Am Bil. 3 Tahun 2000 bertarikh 1 Oktober 2000) providethe direction towards securing government ICT assets (Appendix A).The policy:

(a) defines the purpose and scope;

(b) assigns the responsibilities for programme implementation; and

(c) principles adopted.

2.1.2 Ministry/State Level

Issues addressed at this level are normally specific issues of concern affectingparticular organisation or across the public service such as the disposal ofunwanted computing equipment or backup of sensitive data.

While the Central Level policy is intended to address the broad Public SectorICT Security programme, the ministry/state level ICT management statementsare developed to focus on specific areas currently relevant and of concernto the ministry/state.

Important factors toconsider in formulatingthe ICT Security Policy

MAMPU is at the CentralLevel of formulating ICTpolicies for the publicsector

Specific issues affectingparticular organisation

Issue-specific levelfocuses on local areas orcurrent issues

MyMIS


The management may find it appropriate, for example, to issue a plan ofaction on how the ministry/state should approach contingency planning (examplecentralised vs. decentralised) or the use of a particular methodology formitigating a particular risk to ICT systems. Ministry/State wide plans maybe appropriate when new issues arise, such as integration to legacysystems that may possibly require additional protection of some particularinformation.

While the Central Level broad-based policy may not require much modificationover time, ministry/state policy formulation will likely require more frequentrevision as changes in technology, demands, requirements, legislation andbusiness rules take place.

2.1.3 Departmental Level

Operating or System-specific level focuses on actions taken to protect aparticular system. This is operating at the action level where detail knowledgeon procedures, standard, and guidelines are the daily norm.

While the Central and Ministry/State Specific Levels address issues from abroad perspective encompassing the entire organisation, they do not providedetailed information for example, on establishing application priorities, accesscontrols and other specific requirements. This is where the departmentallevel or specific programme is needed.

Departmental Level security policy is applied at the computer system operationslevel and may vary from system to system even within the same organisation.The departmental security policy has an important impact on system usageand safeguarding Public Sector ICT Security. The decision to adopt adepartmental ICT Security Policy for the organisation can be made at themanagerial level. Refer to Appendix D: Example of Contents List for anAgency/Department ICT Security Policy for guidelines on formulating policy.

2.2 Public Sector ICT Security Programme Management

This sub-section discusses the importance of programme management andpresents an organisation-wide approach in managing Public Sector ICT Security.Programme management among others encompasses nominating ICT SecurityOfficers, developing security policies, carrying out security audits and providingICT security incident response and handling services. In this respect, it isnoted that the various ministries, departments and agencies in the publicsector differ vastly in function, size, complexity, management style andculture.

In comparison to Public Sector ICT Security Policy formulation, there areonly two (2) different levels of programme management. The higher levelis the Central Level, which is responsible for overall strategy, co-ordination,planning and implementation as well as advice and direction on ICT securityissues. Next is the Operating Level, which encompasses both ministry/stateand department. ICT security programme management at this level detailsthe procedures for implementing cost-effective ICT security.

Issue a plan of action

Operating at theaction level

The operating level orsystem specific providesdetail information toaddress issues

The operating levelsecurity policy hasimportant impact onsystem and its security

Programme managementis important

2 different levels ofprogramme management

MyMIS


2.2.1 Central Public Sector ICT Security Programme Management

At the Central Level, ICT security programme management consists of thefollowing:

(a) formulating Public Sector ICT Security Policy Framework;

(b) ICT Security Awareness and Training;

(c) ICT Security Incident Response and Handling;

(d) ICT Security Posture Assessment;

(e) ICT Security Business Resumption Plan Framework; and

(f) enforcement, audit and supervision.

A central Public Sector ICT Security programme should provide three distincttypes of benefits:

(a) Increased Efficiency and Economies of Scale of Public Sector ICTSecurity;

(b) Efficient, Economic Co-ordination of Information

A co-ordinated centralised programme can assist in the collectionand dissemination of ICT Security related information efficientlythroughout the Public Sector. Since it is centrally controlled, variousinformation can be channelled directly to the respective Public SectorICT Security Officer at the various agencies; and

(c) Central Enforcement and Supervision

One of the functions of the Central Level is the evaluation ofenforcement activities and compliance. In this regard, the organisationneeds to understand the business requirements, issues, vulnerabilitiesand Public Sector ICT Security discrepancies internally. This couldbe done through an internal supervisory function that allows a first-hand look at ICT issues without the potential embarrassment of anexternal audit or investigation.

2.2.2 Operating Level Public Sector ICT Security Programme Management

Unlike the central programme that addresses the entire spectrum of PublicSector ICT Security, the operating level addresses the procedures forimplementation of appropriate and cost-effective ICT security. Some of thesalient items in considering the operating programme are:

(a) implementing safety measures;

(b) selection and installing of safety measures;

(c) day-to-day Public Sector ICT Security administration;

(d) evaluation of ICT system vulnerabilities; and

(e) responding to Public Sector ICT Security problems.

The local advocate for the security programme at this level is the ICT SecurityOfficer (ICTSO). This officer is nominated by the ministry or department assuggested in the Public Sector ICT Security Policy Framework.

Central Level ICTSecurity programmecomponents

Benefits of ICT Securityprogramme

Scope of Operating LevelPublic Sector ICTSecurity Programme

Local advocate

MyMIS


At the operating level, the ministry or department should embark on:

(a) formulating departmental ICT security policy;

(b) undertaking ICT system life cycle management with respect to security;

(c) providing ICT security awareness and training;

(d) testing Business Resumption Plan; and

(e) conducting scheduled ICT security review.

2.3 Public Sector ICT Security Risk Management

Security can be defined as a condition that is free from threats and unacceptablerisks. Public Sector ICT Security should be looked upon as a continuousprocess. It involves periodic activities that must be implemented to ensurethat security is within an acceptable risk level, taking into considerationtechnology change that brings with it rapidly changing threats and vulnerabilities.

The principal objectives of securing ICT assets are to ensure governmentoperations continuity and minimise disruptions or damage by preventing andminimising the impact of security incidents. ICT security aims at facilitatinginformation sharing and simultaneously ensuring the protection of the informationand ICT assets. In order to achieve the desired Public Sector ICT Securityacceptance level, the vehicle used in assessing risk is aptly termed PublicSector ICT Security Risk Management. By definition, risk management is theprocess of assessing risks, taking steps to mitigate the risks to an acceptablelevel, accepting and monitoring the residual level of risks. A sample of ICTSecurity Risk Management process is as in Appendix E.

Steps required for better risk management includes:

(a) formation of a risk management committee;

(b) identifying the risks and threats;

(c) evaluating the risks and threats;

(d) identifying the necessary safeguards and counter measures;

(e) managing residual risk;

(f) implementing safeguard and monitoring effectiveness; and

(g) undertaking uncertainty analysis.

2.3.1 Formation of Risk Management Committee

Risk analysis should be co-ordinated by the ICTSO and are best performedby a team of individuals representing the following disciplines:

(a) data processing operations management;

(b) systems programming (operating systems);

(c) systems analysis;

(d) applications programming;

(e) data base administration;

(f) auditing;

Action by ministry anddepartment

Public Sector ICTSecurity is a continuousprocess

Need to ensure securityis within an acceptablerisk level

Principal objective is toensure businesscontinuity

Steps for better riskmanagement includeidentifying risks,evaluating risks andimplementing safeguards

Representation on RiskManagement Committee

MyMIS


(g) physical security;

(h) communication networks;

(i) legal issues;

(j) functional owners; and

(k) system users.

2.3.2 Identification of Risks and Threats

The identification of risks and threats is a critical step towards securing ICTassets. The result of the identification will dictate further activities and thechannelling of resources, which consists of funding, training efforts and futureplanning. Hence, the proper planning of this activity cannot be overemphasisedand should focus on avoiding core business shutdown or, at the least, minimisingdisruptions.

In the public sector, unauthorised disclosure may result in embarrassmentwhere the risk may not be quantifiable in terms of monetary loss.

In identifying the risks and threats, the ICTSO in consultation with the ChiefInformation Officer (CIO) and administrators will need to:

(a) review the value of the information contained in their systems orinformation that could be derived from their information systems.Once this is done, the value attached to the ICT assets can helpdetermine the level and types of risks that can or should be tolerated;

(b) determine events or combinations of events that could disrupt businessoperations. Admittedly, this is rather difficult to implement since thelist could be endless. However most risks are visible and can beeasily listed. Examples are physical sites, access controls, powersupplies, environmental controls, etc.; and

(c) establish the priority to the risk elements identified. Some risks canhave low priority whilst others are categorised as high priority risks.There is no rule to establish this, as risks are interpreted differentlyby agencies according to differing perceptions about the level ofdisruption or damage. In this light, the management may want toattach an association between risks, its potential disruptive abilityand the cost of reconstruction.

The methods employed for identification of risks and threats may be formal(user observation reports), informal (corridor talk), quantitative or qualitativeor a combination of these methods.

2.3.3 Evaluation of Risks and Threats

Once identification of risks and threats is completed, the process evolvestowards risk evaluation, which involves the collection and analysis of data.There are many sources of information that can be used to conduct thisexercise. Since information sources can be numerous, steps should be takento screen and analyse the data. This can be performed by focusing on areas

Identifying risks andtaking action

Unauthorised disclosurewill cause embarrassment

CIOs and the ICTSOneed to discuss the risksand threats

Evaluating risk throughanalysis of data andinformation

MyMIS


that have the greatest impact on the organisation. The following steps canbe adopted in evaluating the risk:

(a) quantify the monetary value of a loss by considering these keyelements in risk analysis:

i. an estimate of the impact or cost of a specific difficulty if ithappens; and

ii. an estimation of the probability of encountering that difficultywithin a period of time;

(b) determine the potential economic impact of those risks or eventsassociated with each threat by using the list of vulnerabilities associatedwith the department’s information assets identified in the previousstep;

(c) estimate the probability of the undesirable events occurring withina specified period of time (usually one year). Identifying risks andtheir economic impact does not directly lead to identifying whichsecurity exposures are worth corrective action and which are not.Estimating and considering the likelihood or probability of theundesirable events is vital. For example, events such as floods orearthquakes have catastrophic consequences. However, if they appearto have a low probability of occurrence they might not justify protectivemeasures and the decision may be to tolerate the risks;

(d) evaluate the suitability of the following options once the monetaryvalue exposure or its annual loss is estimated:

i. tolerate the risk;

ii. insure against the risk;

iii. lower the monetary impact by implementing those measurescosting less than the exposure; or

iv. lower the probability of the loss occurring by implementingprotective measures costing less than the exposure;

(e) determine whether security safeguards are needed and if so, allocatethe cost. The information gained from this can be used to estimatethe annual monetary value of a loss, which subsequently can beused to provide a common denominator for determining the magnitudeof each risk. A department may then develop safeguards againstthe high monetary loss risks; and

(f) identify alternative security safeguards and provide recommendationsfor cost-effective security solutions.

2.3.4 Identification of Necessary Safeguards

Amongst the key elements of Public Sector ICT Security is to identify suitablesafeguards. The process of identification could result in acquiring additionalsafeguards or the removal of ineffective safety measures because both monetary

Identify the safeguards–could be additional orremoval of ineffectivesafety measures

MyMIS


and non-monetary factors are involved. For example, it may be effectivefrom an economic and safety viewpoint to impose a new locking mechanismrather than to employ a security guard.

In the assessment of risks other than monetary issues, there will be areaswhere it is not obvious as to what kind of safeguard is appropriate.

The other factors that should be considered by ICTSOs and ICT Managersare:

(a) legislation, regulation and organisation policy;

(b) user and business requirements;

(c) ICT system performance requirements;

(d) timeliness, accuracy, and completeness requirements;

(e) the life cycle costs of Public Sector ICT Security measures;

(f) the relative strength of the proposed safeguard;

(g) the reliance of other safeguards being considered;

(h) technical requirements; and

(i) cultural constraints.

2.3.5 Managing Residual Risks

It is not possible to mitigate all risks and threats identified because, inreality, all ICT installations operate on limited resources. The managementneeds to decide what risks should and can be mitigated. The remainder ofthe risks not mitigated is generally known as residual risks. Once this typeof risk has been identified based on priority ranking, a decision has to bemade as to whether these risks are acceptable or otherwise. Managing residualrisk should not severely affect the delivery of services and should be properlydocumented and monitored over time. Such residual risks should be quantifiedas far as possible and additional safeguards should be implemented if theyare considered too high. The decision to balance between acceptable andunacceptable risk is a management decision.

2.3.6 Implementing Safeguards and Monitoring Effectiveness

Once a decision has been made to implement the appropriate safeguards,the decision must be followed through. There is also the requirement thatthe safeguards be maintained and this process must be seen as ongoing,for inappropriate maintenance can render the safeguards ineffective. Also,it calls for periodic assessments to improve the safeguards with possiblerequirement for re-analysis of risk.

2.3.7 Uncertainty Analysis

There will be instances when the management of risk relies on hearsay,speculation, best guess, assumption and incomplete data. Uncertainty analysisattempts to document this grey area so as to keep management informedand aware.

ICTSOs and ICTmanagers need toconsider many factors inidentifying the safeguards

Not possible to mitigateall risks and threats

Need to make decisionon which ones

Once decision is made-need for follow-through

Need to maintain, ensureit is ongoing

Need for periodicassessments

Uncertainty analysisattempts to documentgrey areas

MyMIS


Two primary sources of uncertainty in the risk management process are:

(a) unknown precision of the methodology used; and

(b) difficulty to determine the exact value of the various elements inthe risk model such as threats frequency, potential damage etc.

It is possible that a data source is uncertain. Normally, data is collected fromtwo sources; statistical data and expert analysis. However, there are potentialproblems from both sources. For example: samples taken may not be reflectiveof the true situation; missing or not properly counted parameters; misleadingresults and insufficient data. When expert analysis is done, it should berecognised that projections are subjective and the assumptions are alwaysquestionable.

2.4 Incorporating Public Sector ICT Security into the SystemLife Cycle

The purpose of incorporating the Public Sector ICT Security Plan into theICT System Life Cycle is to ensure that the Public Sector ICT Securitycomponent is not overlooked. Since ICT has played an irreversible role inservice delivery in the public sector, the planning of ICT systems shouldalways include Public Sector ICT Security at the very onset. The PublicSector ICT Security Plan should be viewed as a documentation of the structuredprocess to plan for adequate, cost-effective Public Sector ICT Security protectionfor the overall system.

2.4.1 Benefits of Integrating Public Sector ICT Security in the SystemLife Cycle

It is recommended that the Public Sector ICT Security Plan be developedat the beginning and incorporated into the system life cycle. It would bedifficult and expensive to redesign the applications to cater for security featuresat a later stage. Moreover, it can cause project delays, disruptions, diminishexpectations and overall low morale.

Furthermore, it is virtually impossible to anticipate the whole array of securityproblems that would deter the incorporation of the Public Sector ICT SecurityPlan at the later stages of the system life cycle. Updating the security plan,at least, at the end of each phase in the system life cycle can minimiseissues.

The documentation of decisions related to Public Sector ICT Security intothe system life cycle should help assure management that Public Sector ICTSecurity is fully addressed in all phases including applicable legislation andother requirements.

2.4.2 The ICT System Life Cycle Phases

It is recommended that planning for Public Sector ICT Security follow thestages described in most models of ICT System Life Cycle consisting of thefollowing five (5) basic stages, incorporating ICT security issues in eachstage and as depicted in Figure 2.1:

Projections andassumptions can beindeterminate.

Might be too expensiveto incorporate later.

Also can cause delay,disruption, etc.

5 stages of ICT systemlife cycle.

MyMIS


1st stage: Planning For Change - This is to plan for the changes that will occurwith the implementation of the new ICT system to meet operational and PublicSector ICT security requirements. This exercise can be very daunting, as it willinvolve practically everyone in the organisation especially in areas such as re-training, adaptation and the inception of completely new procedures.

2nd stage: Development/Acquisition - This is the stage where the ICT systemis being constructed, programmed, developed or purchased. The Public SectorICT security requirements based on core business functions, ICT asset valueand risk assessment should be included in this stage.

3rd stage: Implementation - This is the stage where, upon final acceptanceby the government, the ICT security safeguards are initiated.

Figure 2.1: ICT Security in the System Life Cycle Phases

Planningfor Change

Development/Acquisition

Implementation Operation/Maintenance

ICTSecurity

Assessment

Disposal ofObsoletemeasures

Determine ICTSecurity

Requirements(including RiskAssessment)

Install/Turn onICT SecuritySafeguards

ICT SecurityOperations andAdministration

Incorporate ICTSecurity

Requirementsinto

Specifications

ICT securityTesting

(includingcertification)

OperationalAssurance(Monitor/

Audit)

ManagingChange

Obtain thesystem

(build/buyand relatedICT Security

Activities)

AccreditationPeriodic

Re-accreditation

▼

▼ ▼ ▼

▲ ▲ ▲ ▲▲

MyMIS


4th stage: Operation/Maintenance - This is the stage where the developedsystem runs alongside the daily operations of the department. As the systemmatures, expansion through additional equipment and application systemsis inevitable. New requirements may become apparent and obsolete functionsmay need to be removed.

5th stage: ICT Security Assessment - This is the stage where an assessmentis made to determine whether ICT Security requirements are met.

At each of the five (5) stages, additions or deletions to the existing systemmay take place. Therefore the security aspects must be considered for eachactivity in every stage.

2.5 Public Sector ICT Security Assurance

The Public Sector ICT Security assurance means the confidence level in thePublic Sector ICT Security safeguards to operate correctly as planned. Theeffectiveness of ICT security is not easy to assure because of the difficultyin quantifying assurance. As a rule of thumb, two (2) questions should beasked:

(a) who needs to be assured; and

(b) what type of assurance is required.

There are many methods and tools available. Two (2) of these are describedbelow: Design and Implementation Assurance; and Operational Assurance.

2.5.1 Design and Implementation Assurance

The design and implementation assurance means that the design featuresof the ICT system, its operations or ICT assets must meet requirements andspecifications. Assurances of this nature require the examination of the ICTsystem design, the correct functioning of each application and the manualprocesses that support it. Design and implementation assurance is associatedwith the development, testing, as well as pre- and post-implementation stagesof the ICT system life cycle. The design and implementation assurance seeksto address whether the end product complies with the agreed Public SectorICT Security specifications. It is also used to provide evidence of deviationand remedial action.

The following sub-sections suggest some of the major methods that can beadhered to in achieving design and implementation assurance.

2.5.1.1 Testing and Certification

Testing is an activity to quantify compliance to stated requirements. In addition,it can be used to address the quality of the ICT system as it is beingbuilt, implemented and operated. Therefore, the testing should beperformed throughout the development cycle or wherever proof of complianceis required.

2 rule of thumbquestions.

Testing to ensurecompliance torequirement and quality.

MyMIS


Some examples of testing are;

(a) unit test;

(b) components test;

(c) system test;

(d) integration test;

(e) stress test; and

(f) penetration test (to see whether the safeguards can be bypassed).

Certification is formal testing conducted by an independent party. Theappointment of such experts must conform to the current government procedurespertaining to the appointment of consultants. (Refer to Surat PekelilingPerbendaharaan Bil. 3 Tahun 1995 – Peraturan Perolehan PerkhidmatanPerunding).

2.5.1.2 Conformance Testing

The organisation may conduct conformance tests on products such as software,hardware and firmware. Conformance to ICT standards is important to ensurethe inter-operability or strength of ICT security.

2.5.1.3 Use of Reliable Architectures

The use of reliable architecture such as fault-tolerance, redundancy andmirroring enhances the degree of assurance of ICT systems. However theuse of costly reliable architecture is normally reserved for very critical systemsthat demand practically zero fault.

2.5.1.4 Ease of Safe Use

Ease of safe use of Public Sector ICT Security products and mechanismsis another important aspect of the successful implementation of Public SectorICT Security systems. When the interface with safeguards is easy and straightforward, the tendency is that the user is more likely to use the systemcorrectly and commit fewer mistakes. Thus, acceptance by the users enhancesthe overall security assurance.

2.5.1.5 Evaluation and Reviews

Evaluation and reviews are another option for achieving assurance. Productliterature in reviews provides useful information and is normally geared toproduct superiority above other similar products. However, product reviewsare less formal and do not offer detailed and extensive examination as isavailable through an evaluation.

Important factors to consider when attempting to seek comfort level via thismeans are as follows:

(a) independence of the review group;

(b) evaluation criteria;

(c) testing parameters;

Need to use reliablearchitecture.

Product evaluation andreview will help achieveassurance.

MyMIS


(d) competence;

(e) integrity of the evaluating body; and

(f) assumptions made.

2.5.1.6 Assurance Documentation

Assurance documentation is one that describes Public Sector ICT Securityrequirements and how they are met when compared against these requirements.The significance of assurance documentation is the indication of the degreeof understanding as portrayed by the designers, and their presumed abilityto construct solutions to meet the necessary Public Sector ICT Securityrequirements. Please refer to Appendix F: A Sample ICT Security AdherenceCompliance Plan for guidance on compliance programmes.

2.5.1.7 Certification of Product to Operate in Similar Situation

There will be instances when a department seeks clarification that the ICTSecurity product it is about to procure operates seamlessly in its currentenvironment. This may be the case for departments that operate on proprietarysystems wishing to employ products outside their operating environment.

Most producers of ICT Security products, with very good reputation producedocumentation, brochures and advertisement statements of certification oftheir ICT Security products that operate in similar situations. However, itshould be realised that certification to operate in a similar situation is environmentspecific, since it may be certified to operate in one environment but maynot work in another, even though the certification is performed by the samebody.

The risks are high if the products to be procured and used at the requireddepartment are non-certified products. It might be a better decision to optfor other certified products. Certification should be nationally accepted.

2.5.1.8 Self-Certification

In many instances the software vendor or the system integrator of the ICTSecurity system conducts self-certification of their own products. This isdone to determine or at least provide some indication the quality andperformance of their products. This technical evaluation may not be partialbut does provide a minimum degree of assurance. In cases where a highdegree of assurance is required, a third party independent evaluation isrecommended.

2.5.1.9 Warranties and Liabilities

This is another form of assurance where the manufacturer or integratorprovides an undertaking to correct errors or provide upgrades via versionreleases. It can be in the form of a formal declaration or certification of theproduct or published assertion. The manufacturer’s commitment is seen throughits endorsement to correct errors and indemnify loss or damage should theproduct be non-conforming.

Describing how ICTsecurity requirements aremet.

Assurance to operateproducts in differentenvironments.

Test conducted byvendors or suppliers canbe indicators.

Undertaking to correcterrors and provideupgrades.

MyMIS


2.5.1.10 Distribution Assurance

The assurance of ICT products obtained via electronic distribution is important.In such a situation, the distribution of unmodified copies and its integrity canbe ascertained through the use of digital signature or check-bits. Sourcesdownloaded from unknown origin such as bulletin board should be verifiedby anti-virus software at the very least.

2.5.2 Operational Assurance

Whilst design and implementation assurance addresses the quality issues,operational assurance seeks to address technical features such asvulnerabilities, conformance to procedures and changes to Public Sector ICTSecurity requirements. The ICT system being a ‘living’ system changes overtime. Some causes of change include changes to the ICT system due toexpansion of scope, operating systems or threat environment.

The operational performance of ICT systems tends to degrade over time.Creative users and operators resort to new ways to bypass Public SectorICT Security measures with the sometimes incorrect perception that it mayimprove performance. It is very rare where adherence to procedures is strictlyfollowed. In some instances this can produce disastrous results for theadministration of the ICT system.

There are two basic methods to observe operational assurance:

(a) ICT System Audit

This can be either a scheduled or an unscheduled event to evaluatePublic Sector ICT Security. It is important to define the scope of worksince the auditing process can easily be side-tracked towards lessimportant issues. The auditing process can both be investigative innature (to resolve specific issues) or developmental.

(b) Monitoring

This is one of the most effective mechanisms to ensure operationalassurance. However this activity is time consuming and requires moreresources. It involves periodic checks on the overall ICT system includinguser activities, standard operating procedures, the environment etc.

2.5.2.1 Audit Methods and Tools

All audits conducted on public sector ICT installations, environments or premisesshould follow stated or implied Public Sector ICT Security Policy and PublicSector ICT Security Auditing Guidelines or other documents published later.In conducting the ICT audits, the audited department plays a crucial role inextending assistance. The audits have to be treated as developmental andnot as a fault-finding exercise. It is best for the government if the auditeddepartment and the audit team identify the appropriate Public Sector ICTSecurity requirements (which may be additional) based on the existing ICTenvironment. The audit conducted should not interrupt the business operationof the audited department. Three (3) different types of auditing methods withrespect to depth and objectives are described in the following paragraphs.

Assurance by digitalsignature, anti-virussoftware.

Operational assuranceaddresses technicalissues.

Auditing needs to bedevelopmental ratherthan fault-finding.

MyMIS


(a) Audit Methods

i. Public Sector ICT Security Review

Public Sector ICT Security Review can be conducted by internalstaff. This review is comparative in nature and is regarded onlyas informative. Reviews are normally conducted for a short durationbut its preliminary initial results may lead to more advanced anddetailed types of audits.

ii. Internal Audit

The internal audit measures the compliance of the ICT systems.The results of this exercise could be used as a guide even thoughthere may be a conflict of interest.

In every environment, the internal staff is more knowledgeable inthe ICT system installation, system security, etc than a third party.Hence the internal audit review is a required step to be performed.

Inadequacy of an internal review is that a poorly designed or poorlyoperated security system could still be acceptable. On the otherhand, there could be a strong desire to improve the Public SectorICT Security system.

iii. External Audit

In comparison, external auditing involves a third party that has nostake in the ICT systems. The independent party should reviewthe ICT system installation, system security, etc.

In all three cases it is important to ensure that auditing personnel possesssufficient knowledge of Public Sector ICT Security.

Suitable generic auditing tools for the various types of audit described aboveare briefly explained below:

(b) Audit Tools

i. Automated tools (active and passive tools )

The use of automated tools reduces the amount of work that hasto be completed. It is used to identify a variety of threats andvulnerabilities such as improper access control, weak password orfailure in using current up-dates and patches.

Active automated tools are designed to locate vulnerabilities bytrying to exploit them. Passive automated tools examine only theICT system and infer the existence of problems.

The government’s Public Sector ICT Security could be in a difficultsituation if automated tools are not used. This is primarily due tothe fact that hackers use similar tools to identify weaknesses ofthe ICT system.

Some of the current automated tools are easier to use while othersrequire specific skills and pre-requisites.

Tools for auditing thePublic Sector ICTSecurity system.

MyMIS


ii. Internal control audit

These tools are used to determine the effectiveness of control orsafety measures. It includes analysis on both ICT and non-ICTbased controls or safety measures. Techniques used include inquiry,observation and testing to detect illegal acts, misuse, errors, irregularincidents or a general lack of compliance

iii. Security checklist

This is a tool normally developed by system owners to ensure thatchanges to the ICT system configuration has been reviewed. Thechecklists should be formulated to reflect local operation of an ICTinstallation.

iv. Penetration testing

The penetration test could be used as a tool to emulate the reallife situation of potential attackers attempting to break into ICTsystems. Findings from the tests are used to overcome vulnerabilitiesand weaknesses. On conducting such tests the ‘attackers’ shouldbe using tools as would be used by the genuine attacker such as:

* automated tools as described previously;

* manual penetration;

* internet tools; and

* social engineering.

2.5.2.2 Monitoring Methods and Tools

The ICTSOs and senior management in the public sector need to be sensitiveto the vulnerabilities of the Public Sector ICT Security and react to ICTincidents. Thus it is important that the monitoring of the entire Public SectorICT Security should be treated as an on-going process.

Many tools are available today and there are more being developed to handlenew and complex attacks on ICT establishments. Below are some of thetools used for monitoring which also complements tools used in auditing.These tools enable monitoring to review ICT systems regularly and in realtime. Access to audit tools, tabulation analysis and recommendations shouldbe restricted and authorised.

(a) ICT System Logs A documented evidence and a chronologicalevent of all ICT system activities. This log shouldconsist of information such as identification ofunauthorised access, unexplained or abnormalactivities. The logs should be viewed regularlyin order to verify the usual and/or unusualactivities in the ICT system.

Best practice : View and check the log dailyon critical or sensitive systems.

Public Sector ICTSecurity need to bemonitored continuously.

MyMIS


(b) Automated tools i. Virus Scanners

Readily available on the market both forstand-alone or networked systems. All usersshould use anti-virus software to verify theintegrity of their systems. However, it shouldbe noted that the threat from virus requiresperiodic up-dates of the anti-virus software

Best practice: Up-date anti-virus softwareregularly.

ii. Check Summing Algorithm

Work by generating mathematical valuebased on the contents of the file. Verificationof the file is done by comparing the valueof the sum generated by the current filewith the previously generated value. Theintegrity of the file is verified when the twovalues are identical. Another common toolis the digital signature, which is also usedto verify the integrity of the files.

Best practice: Ensure the check summing toolsare run on the new installation, clean versionand check sum value are stored securely.

iii. Password Crackers

These are specialised software to checkagainst proper user passwords as comparedto easily guessed passwords.

Best practice: Run monthly.

iv. Integrity Verification Programmes

Some of the techniques applied in integrityverification include consistency check,sensible checks and validation during dataentry and processing. The objective is toensure that the data is not tampered,omitted or unintentionally entered by wayof examining data elements and expectedrelationships.

Best practice: Incorporate during planning,design and programming stage.

v. Intrusion Detectors

These are online applications used toanalyse log-in activities, connections,operating system calls and other variouscommand parameters to detect intruders.

MyMIS


Best practice: Use for critical system.

vi. ICT System Performance MonitoringAnalysis.

This programme analyses systemperformance in real time to look for itemssuch as abnormal system response timeor abnormal request for resources.

Best practice: Run constantly at the background.Consider adequate lead-time for remedial action.

2.6 Operational Assurance Issues

Several issues are addressed and recommended to improve the operationalassurance.

(a) Encouragement in the Usage of Locally Developed Security Products

Locally developed security products are preferred over foreign makesto help spur local ICT security development.

(b) Network Auditing

Network auditing methods and tools should be use to ensure the securityof the network and to simplify the management of network auditing.Examples of automated auditing methods are the checking and verifyingof the data packet from one terminal to the other.

(c) Analysis of the ICT System Activity Log

The ICT system produces the ICT system log. This could be a daily,weekly, monthly or other time-based activity log. It is a detailed logthat indicates the user’s activity. The log should be checked and reviewedby the ICTSO or by internal or external auditors.

(d) Maintenance Contract

Maintenance clauses should be incorporated into Sales and PurchaseAgreement to include provisions for hardware maintenance by thesupplier during the warranty period. In some cases it may be necessaryto stipulate the service level required.

(e) Standard Operating Procedures

Standard Operating Procedures should be documented and formalised.

Improving operationalassurance addressestechnical issues.

MyMIS


Chapter 3 BASIC OPERATIONS

To implement effective Public Sector ICT Security will requirestrong commitment from the various level of organisationswithin the government. ICT security as a programmeencompasses a wide spectrum of topics such as technology,people, finance, training, policy, risk management, processesand measures taken in total to safeguard the government’sinformation and communications systems. This chapterexplains some fundamental operational components of ICT security that shouldbe imparted to public sector employees. Major areas include informationclassification, roles and responsibilities, human factors, electronic facilities,document management, storage management, contingencies, incident handlingand physical and environmental protection.

3.1 Information Classification

Official matters are graded into four classifications i.e. Rahsia Besar, Rahsia,Sulit and Terhad as stipulated in the Arahan Keselamatan.

Information content created digitally follow similar classification. Howeverthe protection of digital information requires different handling needs whencompared to paper-based information such as encryption, colour coding,labelling, precaution against piggybacking and electronic eavesdropping e.g.tempest (Refer to Table 3.1 and Figure 3.1).

Mode Conventional Digital

Media Hard copy Digital Information

Handling As per Arahan Handling protectionKeselamatan (As per Figure 3.1)

Table 3.1: Conventional vs. Digital Information Handling

This chapter discussesfundamental operationalcomponents

4 classifications of officialmatters–Rahsia Besar,Rahsia, Sulit and Terhad

Medium Action

Hard disk Encryption

Floppy Colour CodingLabellingEncryption

Screen AvoidTempest andPiggybacking

Transmission Encryption

ClassifiedInformation

Rahsia BesarRahsiaSulitTerhad

Conventional Digital

➧

Figure 3.1: Handling Protection

MyMIS


3.2 Roles and Responsibilities

Management involvement is critical to ICT security. Capitalexpenditures alone cannot accomplish security. Managementconcern and effort are needed to plan, guide, motivate, andcontrol an effective ICT security programme via the formationof ICT Security forum. A balanced programme, with properconcern for practicality and human values, will enhance theoverall effectiveness of the information processing function.

3.2.1 Head of Department

Heads of Department are owners of Public Sector ICT assets and areaccountable for their safe-keeping and protection. Essentially, the Head ofDepartment should realise the importance of Public Sector ICT Securitybefore it is implemented across the entire organisation. The Head of Departmentneeds to be responsible for and supportive of ICT security programmes,promote compliance to standards, procedures and guidelines, and align PublicSector ICT Security requirements to the department’s missions and objectives.In addition, the Head of Department should ensure adequate resources,both financial and personnel, are available for the programmes.

The roles and responsibilities of the Head of Department include:

(a) ensure all users including government employees, vendors andcontractors understand the need for Public Sector ICT Security policy,standards and guidelines;

(b) ensure all users including government employees, vendors andcontractors abide by the Public Sector ICT Security policy, standardsand guidelines (necessary action must be taken upon non-complianceof any security measure);

(c) undertake evaluation of risk and security programmes based on thePublic Sector ICT Security policy, standards and guidelines;

(d) develop an Adherence Compliance Plan for the purpose of managingrisk arising from non-compliance of the Public Sector ICT Securitypolicy, standards and guidelines; and

(e) report to MAMPU and other relevant authorities as required underMekanisme Pelaporan Insiden Keselamatan Teknologi Maklumat danKomunikasi (ICT) - Pekeliling Am Bil. 1/ 2001 dated 4 April 2001the following:

i. information loss or unauthorised information disclosure orsuspected information loss or suspected unauthoriseddisclosure;

ii. unauthorised or suspected unauthorised usage of ICT system;

iii. loss, stolen or unauthorised disclosure of access controlmechanisms or passwords or suspected loss, stolen orunauthorised disclosure of access control mechanisms orpasswords;

iv. unusual systems behaviour such as missing files, frequentcrashes and misrouted messages; and

v. attempted ICT break-ins and untoward security incidents.

Roles of Head ofDepartment

MyMIS


3.2.2 Chief Information Officer

The Chief Information Officer (CIO) is another important ICTresource person. The roles and responsibilities of the CIOinclude:

(a) support the Head of Department in discharging PublicSector ICT Security responsibility;

(b) transform the responsibilities above into an effective action plan;

(c) incorporate Public Sector ICT Security requirements into existingCIO functions i.e. preparing the IT Strategic Plan. A sample ICTStrategic Plan is as per Appendix G; and

(d) in some cases, the CIO is also the Departmental Security Officer.

3.2.3 Computer Manager

The Computer Manager acts as the Operational Head of ICTand is responsible for managing Public Sector ICT Security atsite.

The Computer Manager supervises and monitors personnel inthe department and acts as the key player in ICT security programme.

The roles and responsibilities of the Computer Manager include:

(a) understand, support, and abide by the Public Sector ICT SecurityPolicy, standards (MS ISO/IEC 13335 part 1-3, MS ISO 17799part 1) and MyMIS;

(b) ensure that all users understand, support and comply with the PublicSector ICT Security policy, standards and guidelines;

(c) implement ICT security controls consistent with the requirements ofthe department;

(d) create a positive atmosphere that encourages all users to report onICT security concerns;

(e) define realistic ‘need-to-know’ or ‘need-to-restrict’ criteria to implementand maintain appropriate access control;

(f) review physical security safeguards, in consultation with the ChiefGovernment Security Officer, Public Sector ICT Security officer andothers, as required. (Physical security should not only address thecentral ICT installations only but also back-up facilities and officeenvironments);

(g) ensure that ICT security reviews are performed as and when requiredeither by internal policy, regulations or ICT security concerns. Someexamples of circumstances that trigger such a review include:

i. large loss from a security failure;

ii. purchase or upgrade of computer systems or software;

iii. acquisition of new communications services;

iv. introduction of new tools;

v. introduction of new out-sourced processing vendor; and

vi. discovery of a new threat or a change in a threat’s direction,scope or intent.

Roles of CIO–StrategicPlanner of Public SectorICT Security

Roles of ComputerManager

MyMIS


(h) develop, review and align the contingency planning of the department;

(i) review the entry and exit procedures in terms of user accessibilityto system resources when employees join or leave the department;

(j) apply security principles in preparing exception requests;

(k) ensure subordinates participate in the ICT security awarenessprogramme;

(l) report any ICT security concerns to the CIO; and

(m) periodic review of access rights and privileges.

3.2.4 ICT Security Officer

The ICT Security Officer (ICTSO) is in charge of the development,implementation and maintenance of the Public Sector ICT Securityprogrammes of the department.

The roles and responsibilities of the ICTSO include:

(a) manage the overall Public Sector ICT Securityprogramme of the department;

(b) enforce the Public Sector ICT Security policy, standards and guidelinesfor use throughout the department (these documents should bekept up-to-date, reflect changes in technology, organisation’s directionand potential threats);

(c) assist in the development of specific standards or guidelines thatmeet Public Sector ICT Security policy requirements for specificapplications within the department;

(d) review ICT systems against stated security requirements to identifyvulnerabilities and risks;

(e) perform Public Sector ICT Security audits based on accepted PublicSector ICT Security policy, standards and guidelines to identify non-compliance;

(f) ensure that when exceptions to policy are required, the risk acceptanceprocess is adhered to and that the exception is reviewed and re-assessed periodically;

(g) suggest measures to bridge the gap in the case of non-compliance;

(h) review audit and examination reports dealing with ICT security issuesand ensure that management understands the Public Sector ICTSecurity issues involved. The ICTSO should be involved in theformulation of management’s response to the audit findings andfollow-up periodically to ensure that controls and procedures requiredare implemented within the stipulated time frame;

(i) confirm that the key threats to information assets have been definedand understood by management;

(j) keep up-to-date on current threats, information processing technologiesand the most current information protection methods and controlsthrough periodic information up-dates, ICT security seminars andon-the-job training;

(k) prepare and disseminate appropriate warning of potentially seriousand imminent threats to the organisation’s information assets, e.g.computer virus outbreak;

(l) form a security handling team to handle security incidents;

(m) co-ordinate or assist in the investigation of threats or other attackson information assets;

(n) assist in the recovery from attacks;

Roles of ICTSO

MyMIS


(o) assist in responding to department’s client security issues, includingletters of assurance and questions on security; and

(p) report any Public Sector ICT Security issues to Departmental SecurityOfficer and CIO.

3.2.5 System Administrators

The roles and responsibilities of System Administrators include:

(a) maintain the accuracy and completeness of accesscontrol privileges based on instructions from theinformation resource owner and in accordance withapplicable Public Sector ICT Security policy, standardsand guidelines;

(b) take appropriate action when informed by the respective managerwhenever employees terminate, transfer, take leave of absence, orwhen job responsibilities change;

(c) closely monitor users with high-level privileges and remove privilegesimmediately when no longer required;

(d) monitor daily access activity to determine unusual activity such asrepeated invalid access attempts that may threaten the integrity,confidentiality or availability of the system (these unusual activities,whether intentional or accidental in origin must be brought to theattention of the ICTSO for investigation and resolution);

(e) ensure that every user be identified by a unique identification (userID) associated only with that user (the process should require thatthe user identity be authenticated prior to gaining access to theinformation resource by utilising a properly chosen authenticationmethod);

(f) make periodic reports on access activity to the appropriate informationowner; and

(g) ensure that audit trail information is collected, analysed and protected.

The System Administrator’s activities should be reviewed by the ICTSO orany authorised independent party on a routine basis.

3.2.6 Help Desk

The main function of the Help Desk is to provide quickassistance to users on problems and issues related to computerapplications and set-up. The Help Desk is the first point ofreporting on ICT incidents and to re-route callers to responsiblepersonnel. A sample of Help Desk ReportingForm is attached as in Appendix I.

3.2.7 Users

By definition, a user is anyone who accesses any governmentICT asset. A user may be a government employee, membersof the administration, contractors, vendors or anyone whoaccesses or uses government ICT assets.

All users are held responsible for their actions when accessinggovernment ICT assets. This accountability should be made clear to allpotential users. In order to ensure compliance, all ICT systems should supportfacilities that record and detect user actions.

Roles of SystemAdministrator

Roles of Help Desk

Responsibilities of users

MyMIS


The roles and responsibilities of users include:

(a) understand, support, acknowledge and abide by the Public SectorICT Security policy, standards and guidelines;

(b) aware of the security implications of their actions;

(c) promptly report to relevant authorities any suspicious behaviour orcircumstance that may threaten the integrity of information assetsor processing resources; and

(d) keep each department’s information confidential.

3.2.8 Vendors, Contractors and External Service Providers

The responsibilities of Vendors, Contractors and External Service Providersinclude:

(a) understand, support and abide by the Public Sector ICT Securitypolicy, standards and guidelines;

(b) be aware of the security implications of their actions;

(c) promptly report to relevant authorities any suspicious behaviour orcircumstance that may threaten the integrity of information assetsor processing resources; and

(d) keep the government’s information confidential.

3.3 Human Factors

For any department, the employees are its most important assets. Throughproper planning of acculturation, employees can and do contribute successfullyto achieving the mission and vision of the department.

Employees play crucial roles in supporting departmental security ICTprogrammes. Armed with proper training, most employees can be dependedupon to identify anomalies and deviations from good security practices, whichcan then be the basis for remedial actions. It is also useful to note of caseswhere employees take advantage of vulnerabilities resulting in theft, informationexposure or wrongful communication. Employees also commit mistakes whetherintentional or otherwise that may later lead to security breaches.

Statistics also indicate that employees perpetrate computer crime in lieu oftheir intimate knowledge on internal systems.

To mitigate the risks mentioned above, government department should considerdeveloping suitable approaches in identifying vulnerabilities that could betaken advantaged off by employees. A good case in point is the ICT hierarchywhere certain positions become sensitive due to its association with powerfulprivileges. In such case, all personnel earmarked to such positions shouldbe thoroughly vetted. It is also good practice for management to “know theiremployees” so that such intangible factors such as attitudes and inclinationsmay be known. Some of the controls listed below represent safeguard inhuman factors.

Responsibilities ofVendors, Contractors andExternal ServiceProviders

Employees are importantassets

Mobilising humanresources

MyMIS


3.3.1 Personnel Security

Personnel security encompasses activities aimed at minimising security riskcaused or originating from employees resulting from errors and or oversight.

Safeguards include:

3.3.1.1 Confidentiality Agreement

Employees that are privy to sensitive information will be required to sign anon-disclosure agreement. (A good example is as per LAMPIRAN ‘D’ ofArahan Keselamatan).

The original copy of the duly signed agreement should be retained forsafekeeping and future reference.

3.3.1.2 Personnel Screening

Personnel screening calls for the vetting of government personnel and aspracticed, implemented at the recruitment stage. There may also be instanceswhere the employee is subjected to detail vetting due to scope enlargementor promotion.

All matters pertaining to personnel screening should be referred to the Officeof the Chief Government Security Officer.

No automatic right of access will be granted to individuals regardless of theirsecurity vetting. In all instances of information exposure, the need-to-knowprinciple must prevail.

3.3.2 Awareness

Employees should inculcate good ICT Security practices. This could be achievedby establishing an ICT communications and awareness programme to informemployees of the importance and seriousness of ICT security. In order tofurther minimise risk, a ‘clear desk’ policy should be implemented.

Clear desk can be defined as not leaving sensitive materials on desk whenleft unattended.

3.3.3 Problem Employees

Employees with personal problems that could result in possible ICT securityexposures should be given assistance.

3.3.4 Former Employees

Employees who leave the organisation must surrender all organisationalassets under the employee’s supervision immediately.

Reducing security riskfrom errors

Confidentialitydeclarations andagreements

Personnel screeningshould be addressed atthe recruitment stage

No automatic right ofaccess

Head of Departmentshould establishawareness programme

Assist problem employees

Surrender all properties

MyMIS


3.4 Electronic Facilities

3.4.1 Telecommuting

The current technology has enabled users to initiate workfrom anywhere and at the same time remain connected tothe office. This facility or telecommuting allows mobility andusers access into the office ICT system.

The following should be considered in addressing securityissues for telecommuters:

(a) equipment borrowed must be with a prior approval from head ofdepartment. The employee is accountable for the safety of theborrowed equipment;

(b) allow an employee to telecommute only after consideration is givento the employee’s interpersonal skills, communication skills, andability to work in an unsupervised environment;

(c) establish and distribute a clear written procedure on telecommuting;and

(d) require any employee who wishes to telecommute to execute awritten agreement which addresses the following issues:

i. equipment to be used;

ii. phone lines;

iii. maintenance;

iv. costs and reimbursements;

v. supervision;

vi. liability for personal injury, fire, etc.; and

vii. physical and logical security to include protection of equipment,information transmitted or stored, hardcopy, back-up ofinformation, disposal of hardcopy and diskettes, and protectionof networks.

3.4.2 Voice, Telephone and Related Equipment

Telephones, Private Branch Exchange (PBX), facsimile machinesand Voice Mailbox systems are frequent penetration point andare also open to abuse. The most common security hole is theuse of insecure maintenance modes/interfaces.

PBX attacks often result in attackers making long distancetelephone calls, perhaps completely unnoticed until bills suddenly increase.Often maintenance modes are badly protected or special features are enabledfor outside access when they should not be.

In general, they are subjected to the following:

(a) where possible, maintenance interfaces should not be accessibleexternally;

(b) maintenance passwords should never be left at their default settings;and

(c) all devices with external interfaces should be configured such thatthey are not easily open to abuse.

Telecommuting andremote accesss

Telephones, PBX,facsimile and VoiceMailboxes are thepenetration points

MyMIS


Organisations utilising voice mail systems are indeed subject to a varietyof potential threats and exposures. This includes disclosures of messages,liability for long distance telephone charges and possible loss of service dueto unauthorised access to voice mail systems. It is completely necessary toget the ICTSO involved in the implementation and review of appropriatesecurity controls offered by vendors. This will eliminate or reduce possiblesecurity exposures.

The following subsections illustrate control mechanisms that should be usedto secure voice and related information.

3.4.2.1 Access to Voice Mail System

The integrity of information residing in voicemail can be preserved and theexpenses and liability of unauthorised use of voicemail services limited bycontrolling access to voicemail service with physical controls and with logicalaccess controls.

3.4.2.2 Private Branch Exchange

A PBX is an internal switch for attached telephone units within an organisation.The switch usually supports connections to outside telephone lines and maysupport electronic switching of information to the attached computer devices.

PBX systems can be protected against unauthorised outside calls as wellas unauthorised disclosure, modification or destruction of information via itselectronic components by:

(a) maintaining close liaison with the PBX supplier and network serviceproviders concerning emerging fraud and other problems;

(b) providing physical access controls that restrict access to the PBXby authorised individuals;

(c) protecting any maintenance or administrative ports that are accessiblevia remote dial-up, with passwords, and either require secure call-back or challenge/response procedures;

(d) producing an audit trail of all administrative and maintenance access;

(e) changing all default password settings immediately upon installationof a PBX;

(f) documenting all changes following approved change controlprocedures. It may be necessary to use call accounting software;

(g) preventing all access to local ‘hot numbers’ or other expensive services;and

(h) following least privilege on setting facilities for particular extensions,e.g. deny international access unless explicitly authorised.

3.4.2.3 Spoken Word

It is completely necessary to educate employees to the sensitivity of informationbeing discussed regardless of circumstances by advising employees periodicallyand to be aware of who is present during conversations involving official

Voice mail systems aresubject to threats andexposures

Control access tovoicemail service

Control access to PBX

Control access to spokenword

MyMIS


Interception duringtransmission

Encrypt communicationsto prevent interception

secret information. Whenever official secret information is to be discussed,an announcement to that effect should be made, unless it is clear thatpersons who are party to the conversation or meeting are aware of thesensitivity of the information.

3.4.2.4 Intercept

Communication can be intercepted. The prevailing technology has made theprocess simpler and can be mounted within a short time span. Therefore,it is advisable that organisations protect against interception of official secretinformation during telephone transmission by:

(a) encrypting telephone calls in which official secret information willbe discussed; and

(b) prohibiting use of unencrypted cellular or cordless telephones fortransmission of official secret information, except in emergencies.

3.4.2.5 Casual Viewing

In order to minimise the disclosure of information on computer terminal screensthrough casual viewing:

(a) position computer displays away from public view;

(b) implement password screen saver; and

(c) apply the need-to-know principle.

3.4.2.6 Output Distribution Schemes

There is a trend to replace paper documents such as reports and statementswith on-line access to computer systems.

In order to protect against unauthorised modification of official secret informationreports, destroy unused hard copies completely.

3.4.2.7 Destruction

All unused official secret information should be disposed of securely andcompletely.

3.4.2.8 Clock Synchronization

It is important to ensure correct setting of computer clocks. This will becomeapparent when determining sequence of events and audit trail.

3.4.3 Facsimile

Facsimile is the transmission of paper-based text, graphs,drawings, plans and other written images electronically viatelephone lines.

Since the fascimile allows for the transmission, receipt andhence the dissemination of information, suitable controls should be implementedto govern its use:

(a) all facsimile machines should be installed in rooms that are visibleand be easily monitored;

Control access to thefacsimile

Dispose unused officialsecret information

Set the computer clockcorrectly

Destroy unused hardcopy

Minimise casual viewing

MyMIS


(b) allow personnel with granted access privileges to pick up messages;and

(c) the transmission of official secret information when done throughfacsimile should only be done using secured facsimile machinesapproved by the government.

3.4.3.1 Modification

To preserve the authenticity of the source documents, employ separateverification means such as prearranged telephone calls to confirm transmissionand receipt.

3.4.3.2 Transmission Acknowledgement

In preventing false claims of message receipt or denial of message delivery,apply transmission acknowledgement controls such as transmissionacknowledgement and telephone confirmation.

3.4.3.3 Misdirection of Messages

To avoid misdirection of official secret information and hence disclosure,re-check the receipient number and identifying prior to sending.

Attach appropriate warning coversheets to assist in the retrieval of facsimiledocuments at the receiving end and also to assist in detecting misdirectedfacsimile messages.

3.4.3.4 Disclosure

All transmission of official secret information must be encrypted usingapproved encryption. Similarly, to prevent unauthorized disclosure such asunauthorised viewing of unattended facsimile equipment, employ the followingmeasures:

(a) locate facsimile machines and image processing terminals withinareas under physical access control;

(b) prohibit facsimile transmissions carrying official secret information,unless it is determined by independent means that a properlyauthorised person is present at the receiving terminal. One methodof doing this is to send the cover sheet only, wait for telephonicacknowledgement of its receipt, then resend the entire packageusing the redial button on the facsimile device; and

(c) classify and label documents in image systems or those receivedvia facsimile using the same criteria used for paper documents.Documents should bear markings appropriate to their classification.

The use of secured cellular facsimile raises potential disclosure concerns.In protecting against disclosure of facsimile sent via secured cellular connections,prohibit transmission of official secret information through cellular facsimileunless encryption is in use.

3.4.3.5 Unsolicited Messages

Restrict the disclosure of encrypted facsimile machine numbers on a need-to-know basis. This will help reduce unsolicited messages and minimiseservice loss caused by junk facsimile.

Disclose facsimile numberon a need-to know basis

Employ separateverification

Use of transmissionacknowledgement

Use secured cellularfacsimile for transmissionof official information

Encrypt facsimile forofficial secrettransmission and preventunauthorised viewing

Check identity of thereceiver

MyMIS


3.4.3.6 Retention of Documents

In order to prevent the loss and modification of necessary business records(including facsimile on thermal paper and stored image where source documentsare not available), store image on secured media. It should then be stored,or a separate copy made, kept off-line and retained.

3.5 Electronic Mail

Electronic mail (e-mail) is the electronic communication over computersystems that enable two or more parties to send, receive, storeand forward communications over public and private networks.Multiple message types may be transmitted such as text, digitisedvoice and images.

Within the public sector, there are two (2) categories of e-mail:

(a) Official E-mail

Official e-mail is under the supervision and control of the MalaysianGovernment. Contents of the official e-mail can be categorised as:

i. non-classified official e-mail for handling unclassified officialinformation by following the procedure issued from the respectiveministry, department and agency; and

ii. classified official e-mail for handling classified official informationthat must be protected in the interest of the government.

(b) Personal E-mail

Personal e-mail is not under the supervision and control of theMalaysian Government. Personal e-mail cannot be used for officialmatters.

3.5.1 Authorised Users

Authorised access to e-mail facilities should be controlled. Employ both logicaland physical access controls to ensure authorised access.

3.5.2 Physical Protection

All ICT assets when taken together provide e-mail services should be protectedfrom unauthorized users and to ensure service provision. Protective measuresinclude:

(a) limit physical access to employees and or maintenance crew whoare necessary for the operation of the system; and

(b) house ICT assets supplying e-mail services away from public areas.

3.5.3 Logical Protection

In order to prevent unauthorised modification, disclosure or destruction ofinformation residing in computer systems, logical access control for all computersmust be applied.

E-mail physical protection

E-mail logical protection

Keep a copy ofinformation on securedmedia

E-mail – an electroniccommunication overcomputer system

Categories of e-mail

Use logical and physicalaccess control

MyMIS


3.5.4 Integrity of Content

E-mails can be the beginning of a series of actions to be taken. Beforeactions are initiated, it may be necessary to determine the integrity of itscontent. This is accomplished by:

(a) verifying the authenticity of source through telephone, facsimile orreply e-mail, or

(b) use of approved digital signature.

3.5.5 Disclosure

E-mails carrying official secret information must be protected againstunauthorised disclosure via:

(a) label information that is classified as per Arahan Keselamatan;

(b) prohibit the transmission of official secret information over e-mail,unless encrypted using technique approved by government;

(c) all classified information must be kept encrypted; and

(d) forwarding of official secret information must be with prior permissionfrom the document originator.

In order to minimise misdelivery:

(a) to avoid misdirection of official secret information and hence disclosure,re-check the receipient e-mail address and identify prior to encryptionand sending. Attach appropriate warning messages to assist thereceipient at the receiving end.

(b) receiver must acknowledge receipt of information;

(c) for bounced mail, prohibit retransmission until the cause is identified;and

(d) use trusted public network providers.

3.5.6 Message Retention

Official e-mails are public records and should be treated as such. As withcurrent paper based documents, e-mails should be stored into appropriatefolders for easy retrieval and reference. There may also be cases wheree-mails are stored for business and regulatory reasons. To assist in propermanagement of e-mails:

(a) create a record retention;

(b) purge unread and unsaved messages after a specified time; and

(c) handle all electronic records of archival value, in compliance withAkta Arkib Negara Malaysia 44/1966.

Public key certificates or authentication keys used during processing shouldbe archived together with messages to ensure proper reconstruction andauthentication.

3.5.7 Message Reception

Most e-mails of good repute offer function to allow users to manage theire-mail messages. Users may find it useful to use automated status checkingfacility to ensure all messages are received and read.

Messages should bestored and easilyretrieved

Facility to confirmmessage status

E-mail integrity

Protect against disclosurevia e-mail systems

Minimising misdelivery

MyMIS


3.5.8 Protection against Malicious Code

Messages sent and received via the mail system should be cleaned frommalicious code by:

(a) scanning all files and attachment;

(b) not opening any attachment files from unknown or suspicious senders;and

(c) using the latest and up-dated anti-virus software.

3.5.9 Security Labelling

E-mails and its attachment containing official secret information must begiven security labels as per Arahan Keselamatan.

3.6 Mass Storage Media

Microfilm, microfiche, compact disk (CD), diskette, tape, cartridge and othermass storage media pose special concerns because of the vast quantity ofinformation they can store, and the relative inability to readily ascertain theircontents. Hence special precautionary measures have to be taken in orderto ensure that the confidentiality, integrity and availability of the informationcontained within the storage media are intact and secured.

The following controls should be put in place:

3.6.1 Protection of Information in Storage Media

In order to provide greater security of official secret information stored onmagnetic media, the following steps have to be taken:

(a) encrypt all official secret information upon storage;

(b) physically protect the storage media from unauthorised access orremoval;

(c) maintain a formal record of the authorised recipients of information;

(d) provide access restrictions and control to back-up files/copies activities;and

(e) index the media for identity with instructions on special handling,if required.

3.6.2 Environmental Considerations

Mass storage media may have different sensitivities to environmental factors,and therefore require different measures of environmental protection. Magneticmedia, such as diskettes or magnetic tapes are sensitive to temperature,liquids, magnetism, heat, smoke and dust.

In order to prevent destruction of information due to environmental problems,the storage sites should be provided with adequate fire protection andenvironmental control in accordance to the media’s manufacturers’ specifications.

Message should be freefrom malicous code

Message should belabelled as per ArahanKeselamatan

Storage media for vastquantity of informationstored

Information protection instorage media

Media are sensitive toenvironmentalconditions. Storage siteshould be adequatelyprovided with fire andenvironmental control

MyMIS


3.6.3 Disposal of Storage Media

Storage media should be disposed of securely and completely when it isno longer required, to prevent improper disclosure.

Formal procedures should be taken to minimise the risk of sensitive informationleaking through careless disposal. The recommended procedures are asfollows:

(a) media containing classified information should be disposed byshredding, grinding (granularising) or burning;

(b) use of the degaussing process as a recommended method tomagnetically erase data from magnetic ICT media. Two types ofdegausser exist: strong permanent magnets and electric degausser;and

(c) disposal of sensitive items should be logged in order to maintainan audit trail.

When accumulating media for disposal, consideration should be given to theaggregation effect, which may cause a large quantity of unclassified informationto become more sensitive.

3.6.4 Non-Current Storage Media

In order to ensure availability of information stored on non-current storagemedia, the information should first be transferred to the new current storagemedia before deletion or disposal. However, should the organisation continueto utilise non-current storage media, care must be taken to retain all thenecessary peripheral equipment such as its drivers, and ensure its workingorder.

3.6.5 Intellectual Property Rights

Commercial software products are usually supplied under a license agreementthat limits the use of the products to specified machines and may limitcopying to the creation of back-up copies only. In preventing infringementof intellectual copyrights due to unauthorised copying of software on massstorage media, compliance to the Malaysian Copyright (Amendment)Act, 1997must be ensured at all times.

3.6.6 Vendors, Contractors, External Service Providers, Third PartyAccess

Information is an asset and should be protected. Third party access togovernment documents for referral to perform a specific task should becontrolled. For example, a new ICT system installation may require referralto blue prints, plans, migration forms, approvals etc.

Access to information including assets, facilities, and documents shouldbe evaluated. This is to ensure acceptable risk by allowing third partyaccess. The more sensitive the information is, the higher approval authorityis required.

In the government environment, the authority level is specified clearly forthe official secret information as described earlier. Government officers muststrictly adhere to guidelines issued such as Rangka Dasar Keselamatan TeknologiMaklumat dan Komunikasi (ICT) Kerajaan Bil. 03 Tahun 2000 before allowingthird party access.

Disposal of unusedstorage media

Non-current storagemedia should betransferred to the newmedia before disposal

Compliance to MalaysianCopyright (Amendment)Act, 1997

Control access byVendors, Contractors,External ServiceProviders and Third Party

MyMIS


Business ResumptionPlan for the PublicSector

Organisation RiskAnalysis Model

3.7 Business Resumption

Government ICT installations store huge amounts of information.This information is varied in nature, from information for dailyfunctions to information for producing trends and analysis.The monetary value attached is of sizable amount. The contentvalue of the information is immeasurable and in some instancesmay be difficult or if not impossible to reconstruct. Thereforeall ICT installations should have some form of business resumption plan.

The plan should be geared towards achieving continued business operation.In instances where it becomes impossible to do so then the plan shouldtarget for continuous functioning of core operations. The activities involvedin the business resumption are as follows:

(a) risk analysis;

(b) disaster recovery/contingency plan;

(c) regulatory compliance; and

(d) insurance.

3.7.1 Risk Analysis

The organisation’s risk analysis involves analysis of background of risk,business impact, threat and vulnerability, protection, compliance, follow-upand feedback. These major components are essential for the analysis ofrisk. The organisation risk analysis model is illustrated in figure 3.2: RiskAnalysis Model.

3.7.2 Disaster Recovery/Contingency Plan

The Disaster Recovery/Contingency Plan (DRP) forms an important part ofthe Public Sector ICT Security programme. As mentioned earlier, its objectiveshould be to ensure continuous functioning of critical business in the eventof disruption. The plan should outline roles and responsibilities in the eventof a disaster or conditions that prevent continuous business functions. Inaddition, the disaster recovery plan should ensure that information andinformation processing facilities are restored as soon as possible after aninterruption. Please refer to Appendix L of a Sample of Disaster Recoveryand Contingency Planning.

The disaster recovery/contingency plan should include at least the following:

(a) a list of core activities considered critical preferably with priorityrankings;

(b) a list of personnel available both internal and from the vendor togetherwith their contact numbers (facsimile, phone and e-mail). Apart fromthat there should also be a second list to replace personnel whomay be unable to attend to the incident;

(c) a detailed list of information that requires back-up and the exactlocation of storage as well as instructions on how to restore suchinformation and related facilities;

(d) identification of alternative processing resources and locations availableto replace crippled resources; and

(e) agreements with service providers for priority resumption of serviceswhere possible.

Disaster Recovery/Contingency Plan toensure continuousfunctioning of criticalbusiness

MyMIS


▼

Figure 3.2: Risk Analysis Model

CONFIDENTIALITY

INTEGRITY

AVAILABILITY

PEOPLE

TECHNICAL

PHYSICAL

BS7799

EXISTINGPROCEDURE

KNOWLEDGE

ALREADY INPLACE

Compliance &Follow-up

Background

Business ImpactAnalysis

Threat &Vulnerability

Analysis

Protection

NO ACTIONREQUIRED

ACTION TO TAKE

ACCEPT RISK

LEGAL &REGULATION

SAFETY

PRIVACY

REPUTATION

MONEY

FEEDBACK

▼

▼

▼

▼

▼▼

▼

▼

▼▼

▼▼

▼

▼

▼

▼

▼▼

▼

▼

Source : NISER

▼

MyMIS


In order to ensure smooth transition, the disaster recovery/contingency planshould be tested yearly if not more. The testing of the plan has the addedadvantage of keeping the personnel trained and skills fine-tuned as well asidentifying likely operational problems. The plan should also be evaluatedperiodically to ascertain that it is still appropriate and meeting the purposeit was intended for.

In ensuring against business interruption, recommended actions under thedisaster recovery/contingency plan are:

(a) include telephone and voice mail service continuation to ensure thecontinued availability of voice mail and telephone services;

(b) include image systems and facsimile capability to ensure againstbusiness interruption due to loss of image systems;

(c) include e-mail service continuation to ensure business continuationin case of loss of e-mail services;

(d) continued availability of information stored on microfilm, microfiche,or other mass storage media should be ensured through the followingprocedures:

i. include mass storage media, as part of the contingency anddisaster recovery plan;

ii. provide for back-up of all important files, critical businessdata, important programmes and documentation to enablebusiness resumption of core processes;

iii. the frequency of back-up should be in-line with the importanceof the information and the business resumption plan;

iv. back-up should be securely stored, and the recovery procedurechecked and tested regularly for reliability; and

v. access to back-up should be strictly controlled.

(e) include paper documents and media storage to ensure that vitalbusiness records are not lost through destruction or loss of paperdocuments;

(f) protect government operations from disastrous effects of fire and/or water:

i. a business continuity or resumption plan should be in placeand fully tested; and

ii. back-ups of all important information, services and resourcesshould be available.

(g) protect buildings containing key equipment and the key equipmentagainst the effects of lightning; and

(h) protect against natural disasters by avoiding disaster prone areas.

3.8 Public Sector ICT Security Incident Handling

A security incident is an incident that affects either directly or indirectly, theconfidentiality, integrity and availability of the ICT system.

Incident handling is similar to first-aid. Once an organisation suffers a disruptionand is given an ‘incident handling’, where its ICT infrastructure needs toundergo a proper overall security diagnosis.

Test the DisasterRecovery/ContingencyPlan at least once a year

A security incident affectsconfidentiality, integrity,availability andaccountability

MyMIS


3.8.1 Causes of Security Incidents

There are many causes of security incidents either:-

(a) intentional such as virus, deliberate attacks, sabotage etc; and

(b) unintentional such as programme errors, technical deficiencies, lapsesin responsibility etc.

More common these days are events caused by deliberate technical activitiesinternally or externally launched by hackers.

3.8.2 Handling Security Incidents

Following a security incident, the computer manager or ICTSO will be requiredto take necessary measures to minimise the resulting damage or those whichmay be required by law:

(a) order the security incident handling team of the organisation (if ithas been set up) to look into the matter immediately;

(b) report the incident to Government Computer Emergency ResponseTeam (GCERT), MAMPU and seek further advice as per requirementsof the Mekanisme Pelaporan Insiden Keselamatan TeknologiMaklumat dan Komunikasi (ICT) - Pekeliling Am Bil 1 Tahun 2001;and/or

(c) report to respective agencies such as the police within 24 hours.[Refer to Appendix H for further advice]

3.8.3 Developing Security Incident Handling Capability

Characteristics of successful incident handling capability:

(a) Good Understanding of the Domain.

‘Domain’ means all relevant programmes and users affected by theanticipated incident. In a networked environment, an incident handlingcapability may define that its constituency to cover only a particularsingle Local Area Network (LAN) environment which is consideredto be critical and cost justifiable. Certainly, if the domain coverageis as wide as the entire organisation, then the ‘understanding’ tobe developed needs to cover the entire organisation;

(b) High-level Awareness

Users need to be aware of the importance of incidents handling,and to trust its capability. High-level awareness can be achievedthrough good and effective security training programmes. Userscan play a significant role in recognising threats, reporting and providingpreliminary emergency response;

(c) Centralised Reporting and Communications

All suspected security incidences must be reported to the ICTSOimmediately. The ICTSO should then report to the CIO. Based onthe gravity of the incident, the ICTSO may proceed to seek technicaladvice from MAMPU; and

Security incident handlingprocedure

Many causes of securityhandling

Characteristics of securityincident handling

MyMIS


(d) Competent Technical Support

In selecting members of the incident handling team, the followingshould be considered:

i. expertise in Public Sector ICT Security;

ii. ability to work as a team;

iii. effective communication between all parties from unskilledusers to managers to law enforcement officers (police);

iv. reachable on call 24 hours X 7 days;

v. available on short notice; and

vi. ability to liaise with other organisations effectively.

Benefits of an internal ICT Security incident handling capability;

(a) Limit Damage from an Incident

Such a capability enables users to report incidents promptly andthe organisation to quickly provide appropriate response andassistance. This includes establishing contacts with supportive sources(technical, managerial, legal and security) to help in containing andrecovering from the incident;

(b) Prevent Future Recurrence

When an incident occurs, the problem can be studied so that moreeffective safeguards can be implemented. Additionally, through outsidecontacts, early warnings can be provided and this tends to stop theproblem from spreading;

(c) Identify Other Threats and Vulnerabilities

An incident handling can greatly facilitate analysis of future threatsby exploiting information logged due to the incident. This helps toidentify potential recurring problems;

(d) Enhancing Internal Communications and Organisation Preparedness

A crisis will encourage communication between members of theorganisation to respond to any type of future incidents (not justsecurity-related incident). It will also serve to maintain good relationbetween the organisation and other relevant agencies; and

(e) Enhancing Security Training and Awareness Programme

Based on incidents reported, training personnel will have a betterunderstanding of user’s knowledge and awareness of security issues.Citing actual events in training, results in better response.

Since computers are networked, incident occurring in one organisation mayaffect other organisations. Thus, there is a need to liaise with other teamsin other organisations, perhaps even pooling knowledge via an e-mail group.

A good technical team needs to be identified and trained to handle securityincidents successfully. Otherwise the task has to be outsourced.

Benefits of securityincident handlingcapability

Liaison with otherorganisations

Support from technicalteam

MyMIS


Rapid team action is facilitated by the establishment of a centralised reportingmechanism. When the incident involves an organisation that handles nationalsecurity, the means of communication must also be secure, for exampleusing approved encryption for voice, facsimile or e-mail.

3.8.4 Issues to Consider When Setting an Incident Handling Capability

There are several issues that should be considered in setting an incidenthandling capability. These are:

(a) Set-up Cost;

(b) User’s Perception;

(c) Personnel;

A minimum set of personnel listed in the plan includes a computermanager and at least one technical staff.

(d) Demography of the Organisation; and

Should the incident handling require travel to distributed sites, thereshould be funds allocated for this. Some organisations may alsohave branches overseas.

(e) Security Awareness and Training.

There will be requirements for initial training and continuous educationon latest developments in Public Sector ICT Security. An associatedissue will be the budget for seminars, workshops, conferences andcontinuous education programmes. It cannot be emphasised furtherhow a good incident handling capability is closely related to anorganisation’s training and awareness programme. Users will beeducated about such incidents and what to do when they actuallyoccur. This can increase the likelihood that incidents will be reportedearly, thus minimising the damage.

3.9 Public Sector ICT Security Awareness, Training,Acculturation and Education

ICT systems are as good as the people that operate them.Though application and sensitivity may differ amongstgovernment departments the people is usually regarded asone of the weakest links in attempting to secure ICT systems.Therefore it is of the utmost importance to allocate sufficientresources for the planning and implementation of programmeson Public Sector ICT Security awareness, training, acculturation and education.

Security conscious and properly trained employees are still one of the bestmeans to improve any Public Sector ICT Security system. Programmes thatare conducted properly will make employees realise the importance of theirrole in ensuring the safety of their ICT environment. Therefore the PublicSector ICT Security awareness, training, acculturation and educationprogrammes should be designed such that it enhances security from boththe assets and human counterpart point of view.

Immediate team action isfacilitated by theestablishment of acentralised reportingmechanism

Start up issues

Allocate sufficientresources for planningand implementing PublicSector ICT Securityawareness, training,acculturation andeducation programmes

Security conscious andtrained employees areable to improve ICTsecurity systems

MyMIS


This is performed by:

(a) Improving Awareness

Often the biggest challenge towards making a start in Public SectorICT Security. Users should be exposed to Public Sector ICT Securityissues to bond a common interest in the need to protect ICT systems.By making users aware of their responsibilities, they then becomeaccountable for all their actions or inactions in lapses of security.Teaching users the correct ICT security practices (for example toavoid short cuts) helps mould user behaviour. It also supports individualaccountability, which is one of the most important means of improvingPublic Sector ICT Security;

(b) Developing Skills and Knowledge

To enable users to perform or to take remedial actions in a moreinformed manner. Users tend to behave predictably once they becomeaware of the consequences of their actions. Skills development andknowledge upgrade has always been looked upon as a requirementfor users to perform their jobs in an explained and secure manner.This requires a conscious and concerted effort from management;and

(c) Building In-depth Knowledge

Since threats are becoming more sophisticated, varied and sometimesidentifiable only at the end of an attack, there is always the needto keep abreast with technology, defence mechanisms, methodologies,case studies etc as needed for the design and implementation ofPublic Sector ICT Security programmes.

3.9.1 Benefits of Public Sector ICT Security Awareness, Training,Acculturation and Education

The benefits of the Public Sector ICT Security awareness, training, acculturationand education programmes are as follows:

(a) the formalisation of the Public Sector ICT Security programmesshould indicate the seriousness of the government in protecting itsICT assets. By understanding Public Sector ICT Security issues,employees are able to improve on their behaviour as they becomemore equipped and able to exercise best practices; and

(b) Heads of Department on the other hand are able to hold their staffaccountable for all their actions or inactions and they would nownot be able to plead ignorance.

The awareness stage can be followed by a training programme, such asidentifying vulnerabilities and implementing safeguards. Once the traininghas been conducted, the enforcement and follow-up can follow suit. At thisstage, it would be difficult for employees to provide convincing argumentwhen caught doing something wrong.

Accordingly, the government adopts the principle of accountability as a basisof the Public Sector ICT Security Policy where all users are made accountablefor all their actions or inactions. It is recommended that user accountabilitybe stated clearly and prominently in accordance to the sensitivity of informationaccessed. To ensure that the responsibility is discharged, the governmentrequires that ICT systems possess capabilities that can track user activities.

Benefits of ICT securityawareness, training,acculturation andeducation

Awareness stage which isfollowed by training,programme, enforcementand follow-up

MyMIS


3.9.2 Public Sector ICT Security Awareness

Due to the huge repositories kept and the ingenuity to translate systemweakness into gains, it has become necessary to remind those being trainedabout Public Sector ICT Security the importance of sound Public Sector ICTSecurity practices.

Explaining the consequences of Public Sector ICT Security failure in termsof effects to the organisation (embarrassment, monetary value, recoveryefforts and time loss) and the preventive measures that should have beentaken, should provide enough motivation to protect ICT assets.

There are many types of users of government ICT assets. The awarenessprogramme to be developed should consider the various roles to be extractedand expectations of these different user groups. For example, for those inmanagement, the awareness programme could be designed towards managingthe roles of establishing Public Sector ICT Security.

As for other groups such as those in the technical environment, the awarenessprogramme should be geared towards Public Sector ICT Security relatingto their actual jobs in processing, dissemination or report generation. Intoday’s environment where almost everyone in the public sector has accessto ICT resources, the awareness should consider the different educationalbackgrounds, job specifications and security clearance in deriving the maximumbenefits for all target groups.

AWARENESS TRAINING & EDUCATIONACCULTURATION

Attribute : ‘What’ ‘How’ ‘Why’

Level : Information Knowledge Insight

Objective : Recognition Skill & Experience Understanding

Teaching Media : Practical Instruction TheoreticalMethod : - Video - Lecture Instruction

- Newsletter - Case study & - Discussion- Posters workshop - Seminar- Lecture - Hands-on practice - Background- Class room - Counselling reading- Seminar - Class room

Test - Understanding - Problem Solving Essay (interpretMeasures : - Interview (applied learning) learning)

- Case study - accreditation

Impact Time Short-term Intermediate Long-termFrame :

Table 3.2: Public Sector ICT Security Awareness, Training and EducationProgramme

Importance of ICTSecurity practices

Users are trained basedon the level and jobfunction

MyMIS


The awareness programme should be designed to reinforce the importanceof Public Sector ICT Security and the fact that every one in the civil serviceespecially those who have access to ICT assets, have a role in ensuringand protecting ICT resources. Should employees fail to realise this or shouldthey view Public Sector ICT Security as just another set of rules and procedures,they may end up becoming passive passengers. It is also advantageous thatwhen awareness programmes are conducted, active participation is alwaysencouraged so that views on security threats and vulnerabilities could thenbe used as input to improve Public Sector ICT Security.

The awareness programme is also used to remind everyone of basic securitypractices such as the clear desk policy, need-to-know principle, proper log-outs and accountability. Thus it is recommended that governments departmentconduct regular Public Sector ICT Security awareness programme to coversuggested topics as follows:

(a) threats and vulnerabilities;

(b) impact of disclosure;

(c) roles and responsibilities;

(d) punitive actions; and

(e) abnormal events.

The list presented above may be expanded by the ICTSO when conductingsuch programmes.

In conducting the ICT awareness programme it is also recommended thatrelevant information be used and conveyed through the use of multiple mediasuch as:

(a) presentation papers;

(b) pamphlets, flyers and posters;

(c) films, videos, slides;

(d) CDs; and

(e) video conferencing.

3.9.2.1 Techniques

Established fora such as presentations, seminars, workshops, meetings, talks,lectures, demonstrations, and bulletin boards whether formal or informal shouldbe used. It is also best to incorporate Public Sector ICT Security awarenessinto basic ICT training either at the point of recruitment or through scheduledtraining programmes. It is to be noted that no matter how well the awarenessprogramme is designed, it may be neglected over time. For this reason thedesign of such a programme in terms of techniques and reach should becreative and flexible.

In cases where the awareness programme is conducted through a classroomapproach, it could be arranged either on a stand-alone basis or as part ofanother programme. The medium could be lecture-based, computer-assisted,multimedia-based or a combination of all three. It is also best to includecase studies and a hands-on approach in designing such programmes.

Every employee has arole in ensuring andprotecting ICT resources

Topics to be covered inthe awarenessprogramme

Examples of media to beused to conduct theawareness programme

Awareness techniques

Awareness sessions areconducted via classes

MyMIS


3.9.3 Public Sector ICT Security Training & Acculturation

Different from Public Sector ICT Security awareness, the Public Sector ICTSecurity training & acculturation should be designed with the sole purposeof imparting the necessary skills to users. Armed with the new skill sets, theyshould be able to perform their jobs more effectively. This includes a list ofwhat they should or should not do and how they can go about doing it. Thereare however many levels of Public Sector ICT Security to be addresseddepending on the sensitivity of the installation to be protected. It ranges frombasic Public Sector ICT Security skills to the intermediate level or advancedand specialized skills. It can also be specific to particular ICT systems orgeneric to address common ICT issues.

In order to be effective, the training and acculturation programme shouldfocus on the specific audience or be related to particular job skills. This isto ensure that the right people receive the correct skills to enable them toperform effectively. Under this topic there are two types of users that canbe targeted:

(a) general users; and

(b) specialised or advanced skills users.

3.9.3.1 General Users

This constitutes the majority of users who need to understand good PublicSector ICT Security practices such as:

(a) physical security e.g. protecting the perimeter, power supply, accesscontrol, environmental control, fire hazards, flood, etc;

(b) access security e.g. keeping access codes confidential, authorisedversus unauthorised access, etc; and

(c) reporting responsibilities such as having knowledge of Public SectorICT Security violations, virus incidents and any other form of untowardor unexplained incidents.

All users shall be formally advised by the respective departments regarding:

(a) individual access control, stating privileges based on current jobfunctions; and

(b) the fact that ICT resources that they are privy to, belong to thegovernment including the resources itself, data, stated informationor information that is derived. The government reserves the rightto monitor activities of all users accessing government ICT resourcesfor misuse or use of ICT resources other than the purposes forwhich they were intended.

In designing training programmes, care should be exercised not to overloadgeneral users with unnecessary details. This is because the very same peopleare already the target for other training and acculturation programmes. It isbest to focus on Public Sector ICT Security issues that affect the generalusers directly so that they remain alert to activities that affect them. For thisgroup of users, the intention is to improve basic Public Sector ICT Securitypractices and not to make them experts on Public Sector ICT Securityphilosophy.

ICT training &acculturation should bedesigned with thepurpose of impartingskills

General users

MyMIS


3.9.3.2 Specialised or Advanced Skills Users

Apart from the general users, there is a small group within the public servicethat will require specialised or advanced ICT training on the technical andfinancial aspects of the ICT technology, specialised security products andspecific mitigation efforts on security breaches. This group will include ICTSO,ICT officers and some senior members of management.

The identification of officers requiring specialised training can be done throughvarious means often with the overriding objective to support and complementorganisational goals.

One method is to identify new skill sets that would be required as a resultof changes in requirements. For example, when organisations switch frommainframes to client server systems, it will cause a radical change to thesystem architecture hence affecting Public Sector ICT Security. Another methodis to look at the job categories and job functions to identify skills needingupgrades. The management of skills upgrade, training and new skill opportunitiesis important to ensure the continuous supply of trained and competent humanresource in ICT security. However, this function is often conducted haphazardly.

3.9.4 Public Sector ICT Security Education

The ICT education programme offers a more structured approach towardsre-skilling and skills upgrade in Public Sector ICT Security. It is normallytargeted for ICTSOs or those whose job requires specific Public Sector ICTSecurity expertise.

3.9.5 Implementation

In order to ensure an effective Public Sector ICT Security awareness, trainingand acculturation, it is necessary from the very onset to have proper planning,execution and feedback. There are many approaches that could be used,one of which is outlined below consisting of seven major steps:

(a) understand the core business of the organisation;

(b) identify gaps in Public Sector ICT Security knowledge;

(c) align skill gaps so as to support the organisation’s core business;

(d) identify suitable staff;

(e) secure financial resources and identify training locations; and

(f) execute, maintain and evaluate programme effectiveness.

3.9.5.1 Understand the Core Business of the Organisation

The identification of the core business of an organisation will indicate thenature of the training programme that should be designed and implemented.The underlying factor is that the training programme to be embarked uponshould support the goals and objectives of the organisation. From here onwardsit would be easier to determine the scope of the training programme, whichmay include training for the entire hierarchy or limited to groups. Sincetraining requirements differ, the training programme may need to be tailoredaccordingly or supplemented by more specific programmes.

The overall aim of the ICT education programme is to ensure that ICT assetsare accorded the appropriate level of protection by increasing awarenesstowards Public Sector ICT Security.

Education trainingtowards re-skilling andupgrading the skills

Implementationapproaches

Identification of corebusiness will assist in thedesign of the educationalprogramme

The aim is to ensure ICTassets are protected atan acceptable level

Specialised or advancedskills

MyMIS


3.9.5.2 Identify Gaps in Public Sector ICT Security Knowledge

The purpose of this exercise is primarily to bridge existing gaps in PublicSector ICT Security knowledge pertinent to the organisation. It also helpsto reinforce and build upon basic knowledge already available amongstmembers. Should this not be done, the organisation runs the risk of sendingpeople to the same course resulting in waste.

3.9.5.3 Align Skill Gaps to Support the Organisation’s Core Business

This is also an important aspect in determining that the education programmesupport organisational needs. One method of achieving this task is to listall skills currently available and comparing it with the list of skills necessaryto support the mission of the organisation. In doing so the skill gaps becomeapparent and should be prioritised accordingly.

3.9.5.4 Identify Suitable Staffs

There are many levels of ICT training, each level being suitable to thedifferent categories of staff within the organisation. At the beginning it maynot be possible to meet all the training needs, thus it is suggested that theidentification of staff eligible for training be segmented according to:

(a) Level of Public Sector ICT Security Knowledge

The target audience may be grouped according to its current levelof Public Sector ICT Security knowledge. This may require someresearch to determine the individual skill level. For the ICT expert,a highly technical training programme is more suited than one thattouches on management issues or Public Sector ICT Securityfundamentals. The same can be said for a new recruit who will finddifficulty in understanding highly technical issues;

(b) Job Task or Function

Target audiences may be grouped according to their job task orfunction such as data entry, operations, maintenance, general users,management or network specialists;

(c) Job Category

Different job categories generally carry different responsibilitieswhereby the Public Sector ICT Security training requirement willalso be different. Some examples are application development,systems design, and systems testing; and

(d) Types of ICT Systems Used

Public Sector ICT Security measures vary according to platformsand applications. It may be necessary to design security trainingprogrammes that meet specific requirements of the installation.

3.9.5.5 Allocate Financial Resources and Identify Training Location

Training programmes can be a drain on financial resources especially forcourses that are only available overseas. There may also be a time lagbetween the availability of funds and training dates. Currently in thepublic sector, for budgetary purposes, the planning to secure financialresources takes place once in two (2) years before the training programmestarts.

The aim is to bridgeexisting gaps

The aim is to determinethe education programmesupport organisationalneeds

The aim is to identify thelevel of skill

Training programmeshould be identifiedduring budget

MyMIS


In identifying training locations, departments are required to give preferenceto courses provided by recognized or reputable ICT training organisations.In doing so the course topics, content, methodology, approach, materials,courseware, etc can be assured to be of use and beneficial to the participants.

3.9.5.6 Execute, Maintain and Evaluate Programme Effectiveness

A training programme no matter how comprehensive will remain a trainingprogramme unless it is executed, maintained and evaluated for effectiveness.In terms of Public Sector ICT Security, the training programme should bevisible so there is constant awareness of its existence. The visibility createsawareness signalling a high sense of anticipation. Users on the other handrealise that improper conduct could soon come to an end. In many instances,ICT training programme announcements create a receptive learning mode.

The methods used should include instructor-led sessions with consistentmaterials presented and tailored to the needs of the target audience. It couldexist as a stand-alone, one time training or a series of training with gradualincrease in subject matter. Apart from this, it could be useful to have a mixof classroom with hands-on training and exam.

ICT technology changes so rapidly that it is possible to expect new technologiesin the market every two months. There should be planned effort to keepabreast of changes in the ICT technology especially those that affect securityrequirements.

It is possible that approved training programme needs may become irrelevantwhen an organisation uses new applications or effects changes to itsenvironment. A good example is when an organisation switches to Internettechnology thus renders existing security guidelines useless. Similarly a trainingprogramme can become outdated when there are changes in policies andlaws. Before the advent of e-mail, the government’s official communicationswas through letters, telephones and later facsimiles. With e-mail, new guidelinesneed to be established to regulate its use and to ascertain integrity and pointof origin. Therefore in light of the inevitable changes brought about by eithertechnology or changes in policies/laws, training programmes too should reflectsuch changes.

Similar to other training programmes, the effectiveness of security trainingis not easy to measure. Nevertheless, some form of measurement must bemade in order to justify resources spent. Indicators such as retention ofinformation and adherence to security procedures do indicate a certain degreeof effectiveness.

Organisation could also employ proven programme measurement indicatorssuch as:

(a) Participant’s evaluation of courses/programmes;

(b) monitor Public Sector ICT Security incidents before and after training;and

(c) use of ‘cascade effect’ by requiring returning participants todemonstrate skills and understanding.

Training programmeshould be executed,maintained and evaluatedfor effectiveness

Measure trainingprogramme

MyMIS


More often, the training on Public Sector ICT Security occurs as an afterthought. As threats and vulnerabilities become more sophisticated, liberalisationof the Internet added further exposure to practically all ICT resources. It iscommon knowledge that ICT attacks could be mounted from anywhere withina short time frame and all evidence removed in an equally short time. Thereis therefore an urgent need to match disruptive capabilities with superior on-going counter measures.

3.10 Physical and Environmental ICT-Security

In order to prevent unauthorised access, damage andinterference to premises and information, all proposals relatedto buildings, acquisition, lease, renovation, purchase ofgovernment and private buildings housing informationprocessing facilities have to be referred to the ChiefGovernment Security Officer. The physical protection providedshould commensurate with the identified risk and be based on the principleof defence-in-depth.

3.10.1 Physical Security Perimeter

The physical strengthening of information processing facility is necessary todeter potential intruders. Multiple physical barriers that surround premiseshousing information facilities help to deter, detect and delay intruders. Whereappropriate:

(a) clearly identify the perimeter to be secured;

(b) identify physical vulnerabilities and weaknesses by conducting riskanalysis;

(c) ensure that the perimeter walls are physically sound and entranceinto the perimeter area is only through doors equipped with suitableaccess mechanisms;

(d) use of real floor and real ceiling such that physical threats is seenand not hidden;

(e) control access by means such as registration counter, smart cards,camera etc; and

(f) alarms to detect excessive smoke, heat, moisture and unauthorizedentry

3.10.2 Physical Entry Controls

Once areas are gazetted as Secure Areas, these areas are accorded suitableprotection so as to allow legitimate access. The following controls shouldbe considered.

(a) visitors should be escorted until “handed over” to their change anddetails of their entry and exit duly recorded. For some installations,visitors are accepted by appointment only with predetermined routesand access privileges;

(b) for unmanned counters, use identification tags that doubles as dooraccess control;

(c) allow access to ICT assets and passageway to authorised employeesonly;

Approval from the ChiefGovernment SecurityOfficer for all physicaland environmental-relatedissues

Physical securityperimeter should beconsidered to providephysical barriers aroundthe premises

Secure areas should beprotected

MyMIS


(d) authorised employees and visitors to use clearly identifiable tagsso as to differentiate and to quickly identify trespassers;

(e) review access rights to secure areas regularly to reflect changesin function, job description etc; and

(f) Chief Government Security Officer advice on secure door locks andrelated access control services.

3.10.3 Secure Area

A secure area may be defined as an area where access is restricted andlimited to authorized employees only. This is done to protect the contentsthat are housed in the area. Department heads in consultation with theICTSO is required to review the security requirements of their installationand plan for the provision of suitable protection within the secure area andits immediate surroundings. Consideration should also encompass relevanthealth and safety regulations. Reference should also be made to the ChiefGovernment Security Officer to determine whether to gazette the securearea.

Preventive steps required to be taken to prevent unauthorized access includeall or part of the controls below:

(a) limit the entrance and exit points;

(b) erect gates/grills and install security lighting;

(c) employ security guards equipped with suitable security tools;

(d) locate secure areas away from public passageway;

(e) secure areas to be bereft of markings, signs or any indication tobetray its importance;

(f) secure areas should use doors that slam shut after opening orleave an audible warning when left open for an unreasonable duration;

(g) secure areas should be manned where possible with random patrols.When left unattended, all exits, entrances and windows should belocked;

(h) install intruder detection systems such as cctv and silent alarmslinked to a command control center; and

(i) treat information, no matter how trivial emanating from secure areasas confidential and employ need to know principle.

3.10.4 Working in a Secure Area

Employees and third party personnel may work in a secure area. As such,control mechanisms should be emplaced to prevent any untoward incident.

The following should be considered:

(a) escort third party personnel at all times;

(b) provide separate working areas for employees and third partypersonnel;

(c) halt all production work within secure areas when in the presenceof authorized guest(s);

(d) all work within secure areas should be supervised;

Secured area – areawhere access isrestricted and limited toauthorised employeesonly

Working protocols insecure areas

MyMIS


(e) information about work within secure areas is on a need to knowbasis; and

(f) control movement, transfer, introduction or removal of equipment.

3.10.5 Site Protection for Data Centre and Computer Room

The following site design guidelines and controls should be considered andimplemented where appropriate:

(a) the site shall not be in a location that is vulnerable to natural orman-made disaster e.g. flood, fire, explosion etc. Relevant healthand safety regulations, standards and also any security threatspresented by neighbouring premises should be taken into account;

(b) the site should be made as inconspicuous as possible to give minimumindication of its purpose;

(c) locations of computer facilities should not be identified;

(d) hazardous and combustible materials should be stored securely ata safe distance from the site;

(e) main fallback equipment and back-up media should be at a safedistance to avoid simultaneous damage;

(f) safety equipment should be checked regularly;

(g) emergency procedures should be documented and tested regularly;

(h) doors and windows should be locked at all times and externalprotection should be considered for windows; and

(i) external wall of site should be of solid construction.

3.10.6 Equipment Protection

In order to ensure all equipment are secured accordingly and are fullyfunctional, the following equipment protection guidelines and controls shouldbe considered:

3.10.6.1 Hardware Protection

It is important to ensure that all hardware are secured, operating and functioningwell.

3.10.6.2 Storage Media Protection

In order to ensure the safety of official information stored on mass storagemedia, the following procedures need to be applied:

(a) designate a special restricted area for storage of mass storagemedia containing official information. As such, the restricted areawould be accorded suitable physical protection;

(b) provide special storage facilities approved by Chief GovernmentSecurity Officer such as protective cabinets or other securable storagefacilities for media containing official information. This facility shouldprotect its contents against unauthorised access and/or the effectsof natural disasters such as fire or floods and harmful substances(e.g. dust).

(c) restrict access to the secure storage location; and

(d) document all procedures and access authorisation levels.

Physical andenvironmental protectionfor storage media

Data Centre andComputer Room shouldbe secured

MyMIS


In preventing unauthorised removal, destruction or disclosure of information,the following management procedures are recommended:

(a) provide access restriction and control to all areas containing aconcentration of information storage media. In addition, considerationshould be given to the use of electronic article surveillance securitysystems;

(b) all media should be stored in a safe, secure environment, inaccordance with the manufacturers’ specifications;

(c) logging of all accesses made to the media should be establishedto support accountability;

(d) provide automated media tracking systems for maintaining inventoriesof storage media libraries; and

(e) authorisation for the removal of information should be required fromthe organisation and a record of all such removals should be kept.

3.10.6.3 Documentation Protection

In ensuring that documentation is not open to unauthorised access, considerthe following steps:

(a) store/lock safely and securely;

(b) use physical or electronic security label;

(c) use encryption software for classified document;

(d) handle properly movement of classified document; and

(e) for secure handling of paper documents, refer to Arahan Keselamatan.

3.10.6.4 Cabling Protection

In protecting cables from interception, damage and overloading, considerthe following:

(a) cabling should be physically protected against accidental or deliberatedamage;

(b) select cable type appropriate to its purpose;

(c) plan carefully by taking into account future developments; and

(d) cables should be protected against wiretapping.

3.10.7 Environmental Security

In order to ensure environmental security, proper functioning of critical andsensitive information processing facilities must be given due consideration.

3.10.7.1 Environmental Control

The following guidelines should be considered:

(a) plan carefully the layout of the data centre (console room, printingroom, partitioning of computer equipment, etc);

(b) control room temperature and humidity accordingly;

(c) provide adequate ventilation for work areas;

Cables need to beprotected

Power supply should besuitable and airconditioning should becontrolled

MyMIS


(d) provide suitable eye and nose protection appliances;

(e) printing rooms should be separate from computer equipments; and

(f) use raised flooring in the data centre.

3.10.7.2 Power Supply

All ICT equipment should be protected from power failure. A suitable powersupply should be provided including uninterruptible power supply, if necessary.The use of a stand-by generator is required for critical data centres.

3.10.7.3 Emergency Procedures

Emergency procedures should be established, documented and posted atkey locations. It should be tested at least once a year.

3.11 Cryptography

Cryptography which is traditionally known, as the art of ‘secret writing’ is abranch of mathematics based on the transformation of data. The transformationprocess is called encryption. When encrypted, a plaintext becomes unintelligibleand the unintelligible version is called a cipher text. In order to recover theinitial plaintext, the cipher text must be subjected to a reverse process calleddecryption. Both encryption and decryption are done using a key.

What is cryptography

/1rqpwYcEWsTO/Cv/oF0KGi/cEISZzl+RLSFju8EX8e8Fs42DV59OVTdoG52rCECK&8#1gs8257j82mskJnBhgRgys7%$)(+&^B$#%FTFVtfwbs%c^V7B8(N)M)*&^%$!?3

Ciphertext

➤Encrypt Decrypt

➤

Today, cryptography is the most important and fundamental tool to manageICT security. Its usage is found in almost all aspects where security is ofconcern. This is more than just for keeping secrets (confidentiality), but alsodata integrity, digital signature and advanced user authentication.

Although modern cryptography relies upon advanced mathematics, a typicaluser can still reap its benefits without understanding the heavy mathematics.Nevertheless, there are important issues to be considered when incorporatingcryptography into computer systems. This is because any security solutionshould be seen in totality. Employing strong encryption may still not solvea problem because break-ins are made through other weaknesses andvulnerabilities.

Basically, cryptography relies upon two components namely an algorithmand a key. In modern cryptographic systems, algorithms are complexmathematical formulae and keys are strings of bits. For two parties tocommunicate, they must use the same algorithm (or algorithms which aredesigned to work together). In some cases they must also use the samekey. Such keys are normally kept secret. There are also situations in whicheven the algorithms need to be kept secret.

Importance ofcryptography to ICTsecurity

Encryption is only part ofthe total solution

Cryptography consists ofalgorithm and key

MyMIS


There are two types of cryptographic systems: symmetric and asymmetric.A symmetric cryptosystem (also known as secret-key cryptosystem) usesthe same key to encrypt and decrypt a message, while an asymmetriccryptosystem (also known as public-key cryptosystem) uses one key to encrypta message and a different key (the private key) to decrypt it.

Both types of systems have different features and offer advantages anddisadvantages. Although they can be differentiated, comparing them is likecomparing an apple with an orange. For example, symmetric systems aregenerally faster and require only a single key, whereas asymmetric systemsare slower and need two keys. However, key distribution is a major problemfor symmetric systems, yet it is not so in the asymmetric systems. Often,they are combined to form a hybrid system to exploit the strength of eachtype. In determining which system to use, an organisation needs to identifyits security requirements and operating environment. An appropriate policyshould be developed.

3.11.1 Symmetric (or Secret) Key Systems

In symmetric key systems, two or more parties share the same key, whichis used to encrypt and decrypt data. Here, the security hinges on maintainingthe key secret. If the key is compromised, the security offered is severelyreduced or eliminated. In this type of system, it is assumed that all memberswho share the same key do not disclose it and are responsible to protectit against disclosure.

The best known symmetric key system is the now unused Data EncryptionStandard (DES). It was recommended as a standard by NIST, United Statesuntil it was shown in the early 90’s to be breakable.

Symmetric cryptosystems have a problem: how to transport the secret keyfrom the sender to the recipient securely and in a tamper-proof fashion?Frequently, trusted couriers are used as a solution to this problem. Examplesof symmetric key systems include 3DES (which reuses the DES 3 times),IDEA, RC5, Twofish and Rijndael. Another, more efficient and reliable solutionis to rely on an asymmetric key system.

3.11.2 Asymmetric (or Public) Key Systems

Since a secure cryptographic system requires the periodic changing of anencryption key, key management becomes a significant problem. Asymmetricor public-key encryption which was developed in 1976 addresses this problem.A public key encryption algorithm uses different keys for encrypting anddecrypting information. Information encoded with either of the keys can onlybe decoded with the other key. It cannot be decoded with the same key.These two keys are created together and form a key pair. One of these keysis kept secret by the owner and is known as the private key. The other key,known as the public key, can be published widely. The relationship betweenthe keys is such that it is extremely difficult (impossible for all practicalpurposes) to derive one key from the other.

In a public key system, there is no need for the sender and receiver to sharethe private key. It is only the public key that is distributed. In other words,the private key is never shared. Confidential messages can be sent usingonly the public key, and the decryption process requires the private key thatis held just by the intended recipient. A further, very significant benefit isthat public-key encryption can be used not only to ensure confidentiality, butalso for authentication and digital signature.

Two types ofcryptography systems:symmetric andasymmetric

Comparison betweensymmetric andasymmetric systems

In symmetric system, keyprivacy is most important

Main problem withsymmetric system issecure key distribution

Asymmetric system isdesigned to address keymanagement problem

MyMIS


Examples of asymmetric key systems include RSA (due to the designersRivest-Shamir-Adleman), Digital Signature Standard (DSS), and ElGamal.

The minimum key length for encryption to be used in the public sector is1024 bits and the cryptographic algorithm approved by the government.

3.11.3 Key Management Issues

The importance of looking after the cryptographic keys has raised manyissues. The way they are created, distributed and used is critical to theconfidence placed upon the cryptographic system. It is vital that there arewell understood processes for:

(a) generation of new keys : users to be able to obtain suitable pairsof public and private keys;

(b) publication of the public keys;

(c) verification of the owner of a public key;

(d) determining the validity period of a pair of keys; and

(e) dealing with private keys that are lost or that may have beencompromised.

Today the commonly accepted way to deal with the verification of publickeys is through the use of certificates. A certificate is an electronic documentthat verifies the claim that a particular public key does in fact belong to agiven individual (or organisation).

3.11.4 Disaster Cryptography and Cryptographic Disasters

When a disaster strikes, (see also Section 3.7.2 - Disaster Recovery/ContigencyPlan), ICT components that use cryptography will require special handling.The situations are generally called disaster cryptography and cryptographicdisaster.

3.11.4.1 Disaster Cryptography

A ‘disaster cryptography’ means a situation when disaster affects cryptosystemsand its uses. For a typical ICT component, recovery from disaster may entaila simple recovery using back-up and the person who is directed to performthe recovery may be allowed to read and access the components. However,for components which use cryptography, the procedure is not as straightforwardas that. The person may not be allowed to freely access such assets, ormay not have the key to perform the recovery process.

From the DRP perspective, cryptographic facilities, such as key managementcentres and Certification Authorities (CA), must also be brought back on-line following a disruption. Ensuring that keys remains secure while they aremade available from back-up sites is just one of the complicating factors.Split knowledge in the form of a secret sharing scheme or dual control canbe utilised. However, the back-up site for a certificate authority should usea separate certificate root since the integrity of the signature system isderived from the non-disclosure of the root key which is outside of thecertificate authority’s key generation device.

Minimum key length is1024 bits

Keys need to themanaged properly tomaintain integrity

Disaster cryptography iswhen disaster affects acryptography

MyMIS


If, for example, an organisation uses cryptographic facilities to secure itscommunication, it must be ensured that those facilities (e.g. CAs, keymanagement server) operate with the same security after a disaster.

Therefore every organisation must have a DRP for its crypto facilities. Thecrypto DRP can be complicated because one simply cannot run a back-upfor a CA key service as in the case of a ‘normal’ database. Due to theconfidential character of the data, there must be a secured back-up that hasto be restored in a secure way by trusted staff.

3.11.4.2 Cryptographic Disasters

The second relationship between a DRP and cryptography is planning howto deal with events caused or made complicated by cryptographic services,especially unforeseen failures. As an example, an institution may have anup-until-now-secure logical access control system, yet has noticed clear signsof an intruder into the system. One possibility is that the cryptographic systemhas failed. In such a situation, there should be clear instructions on how toproceed. Without such instructions, well-intentioned acts may exacerbatethe problem. For example, attempting to unravel cipher text by modifying itmay cause permanent damage.

Another example of a cryptographic disaster is the encryption of vital informationby an employee who is now demanding a ransom for the decryption key inexchange for a gain. Such a problem may be solved through technical means(escrow), law enforcement, or negotiation. Unless the organisation plans fora technical solution, other solutions may be expensive, embarrassing, orboth.

No complete list of threats exists and a complete list of counter-measuresis impossible to produce. As a general guideline on this issue of cryptographicdisaster, an information and communications security and disaster recoveryprogrammes of an organisation must address cryptographic threats, at leastin a generic form.

A written policy should cover the following:

(a) regular monitoring of the information processing system for abnormalbehaviour;

(b) procedures to be followed in determining the cause of abnormalbehaviour and guidelines on how to respond to a threat, intruder,compromise, etc;

(c) procedures for dealing with the failure of any cryptographic control;and

(d) provision for the availability of cryptographic services, keying material,and other related services following business interruption.

3.11.4.3 What to do in the Event of a Cryptographic Disaster

Following a disaster, the officer responsible for ICT security in a departmentis required to act based on the Mekanisme Pelaporan Insiden KeselamatanTeknologi Maklumat dan Komunikasi (ICT) as per Appendix H.

Need for crypto DRP

Dealing withcryptographic disasters

Clear instruction torecover fromcryptographic failure

Take steps according tothe incident reportingmechanism when cryptodisaster occurs

Key escrow may help inemergency situations

MyMIS


3.12 Public Key Infrastructure (PKI)

An ‘infrastructure’ is a set of facilities which enable and promote certaintypes of activities. A set of public infrastructure such as roads, bridges, andairports facilitates transportation for economic activities. A Public KeyInfrastructure (PKI) is the combination of software, encryption technologies,and services that enables organisations to protect the security of theircommunications and business transactions on the Internet.

Nowadays, apart from password-based logons, a more secure method is touse digital certificates. Each certificate contains specific identifying informationabout a user, including his name, public key and a unique digital signature,which binds the user to the certificate. Certainly, certificates should not lastforever. Each certificate is issued with an expiry date and sometimes willneed to be revoked early, such as when an employee quits. As with keypairs, there is a need to co-ordinate the issuance and revocation of certificates.That is another function of a PKI, acting as a comprehensive architectureencompassing key management, the registration authority, certificate authorityand various administrative tool sets.

A PKI integrates digital certificates, public-key cryptography, and certificateauthorities into a total, enterprise-wide secure network architecture. A typicalenterprise’s PKI includes issuance of digital certificates to individual usersand servers; end-user enrolment software; integration with organisationalcertificate directories; tools for managing, renewing, and revoking certificates;and related services and support.

PKI protects information assets in several ways:

(a) Authenticate IdentityDigital certificates issued as part of a PKI allow individual users,organisations, and web site operators to validate the identity ofeach other.

(b) Verify IntegrityA digital certificate ensures that the message or document thecertificate ‘signs’ has not been changed or corrupted.

(c) Ensure PrivacyDigital certificates protect information from interception duringtransmission.

(d) Support for non-repudiationA digital certificate validates user identity, making it nearly impossibleto later repudiate a digitally ‘signed’ transaction, such as a purchasemade on a web site.

In the public sector, some services stand out as immediate candidates forthe need of a PKI: e-mail, secure file transfer, document management services,remote access, e-commerce and Web-based transaction services. Supportfor non-repudiation, which ensures that transactions cannot be disowned, isalso required and supplied through the use of digital signatures. Then thereare wireless networks and virtual private networks, in which encryption isessential as a guarantee of confidentiality. For the corporate network ande-commerce, a single point sign-on is a common requirement.

What is a PKI?

More secure method isdigital signature

Some services need PKIimmediately e.g. e-mail,fail transfer, remoteaccess

MyMIS


PKI software comes in different flavours depending on whether an organisationself-develops it or procures it commercially. In each case, the certificatesissued need to conform to the international standard (CCITT X.509v3 iscurrently the referred standard) so that interoperability to other certificationauthorities even overseas is ensured. It is also worth noting that until today,there still exist some doubts among industry experts on the full-fledgedimplementation of an internationally standardised PKI.

3.13 Trusted Third Parties (TTP)

The market has recognised the need for enhanced security services providedby an entity mutually trusted by other entities. These services range fromincreasing trust or business confidence in specific transactions to provisionof recovery of information for which encryption keys are not otherwise availableto authorised entities. Trusted Third Parties (TTP) is the vehicle for thedelivery of such services.

A TTP delivers assurances between its sub-divisions as well as betweenitself and external parties. An institution may choose to set up an internalTTP or subscribe to an external provider for TTP services.

3.13.1 Assurance

A TTP, whether internal or external to an organisation can only add valuewhen users of the services are assured of its quality. In achieving this, aTTP must satisfy itself that the following issues are addressed:

(a) TrustThe TTP must be organised, controlled and regulated in such a waythat its operation can be relied upon, checked and verified.

(b) AccreditedThe TTP must be at least accredited by a recognised national orinternational party.

(c) ComplianceThe TTP must be operated in compliance with accepted industrystandards and relevant regulations.

(d) ContractThere must be a legally binding contract in place covering the provisionof service and addressing all the issues in this list. There must becontracts with co-operating TTPs which also address these concerns.

(e) LiableThere must be a clear understanding as to issues of liability. Areasof concern include circumstances under which TTP may be liablefor damages and whether the TTP have sufficient resources orinsurance to meet its potential liabilities.

(f) Policy StatementThe TTP must have a security policy covering technical, administrative,and organisational requirements.

(g) AuditTTP auditors must be appointed by the TTP controller.

TTP provides thevehicle for safetransactions

Criteria to be met toprovide quality service

MyMIS


3.13.2 Services of a TTP

The services, which a TTP provides, may include:

(a) key management for symmetric cryptosystems;

(b) key management for asymmetric cryptosystems;

(c) key recovery;

(d) authentication and identification;

(e) access control;

(f) non-repudiation; and

(g) revocation.

Key recovery is the ability of a TTP to recover, either mathematically, throughsecure storage, or other procedures, the proper cryptographic key used forthe encryption of information. This function would assure an institution thatit can always have access to information within its information processingresources. Such a recovery service may be essential in disaster recovery.It may also satisfy law enforcement regulations for an institution to be ableto produce such a key or encrypted information in answer to a lawful courtorder.

3.13.3 Legal Issues

Government departments have higher-level requirements for record retrieval.The contract with a TTP should address specific issues relating to maintenanceof keys used for encryption, authentication, and digital signature as thesemay need to be reproduced many years later.

Liability for the poor services of a TTP may include direct and consequentialdamages and must also be fully understood by the management. In the firstplace, the TTP must have adequate financial reserves or insurance to meetany liability.

What is a key recovery?

Government’s contractwith a TTP needs toaddress legal issues

MyMIS


Chapter 4 TECHNICAL OPERATIONS

This chapter discusses the management and the use of safeguards incorporatedin ICT assets and other related devices. This chapter seek to explain inmore detail the various option available that could be use to further enhancethe management of ICT security. It covers the various aspects of computersystems, operating systems, application systems and network systems.

4.1 Computer Systems

As defined in the Public Sector ICT Security Policy Framework, the ICTasset component comprises of information processing facilities such asmainframes, minicomputers, microcomputers, laptops, notebooks, palmtops,servers, workstations, departmental, corporate and personal computers aswell as communication facilities and network equipment such as the facsimile,fixed line telephones, mobile telephone systems, power supplies, environmentalcontrol units, routers, bridges, switches, computer and communication hardwareand software, utility programs, operating systems, documentation andapplications software. The housing facility is also part and parcel of thepublic sector ICT asset. With regard to the ICT security of these systemsand sub-systems, the following controls need to be exercised:

4.1.1 Change Control

Change Control can be defined as the processes initiated to manage andcontrol planned changes about to occur and that the changes will affect ICToperations or its environment. The triggering Change Control events may bescheduled or in response to an emergency. ICT being volatile, Change Controlis necessary to protect the integrity of information processing systems andshould exist to meet changes in hardware configuration, software changes,manual procedure changes or other changes that will affect service delivery.

Change control is established to ensure smooth migration and minimaloperational disturbance. As such, it should be well thought off and effective.Change control should consist of at least the followings:

(a) formal change request;

(b) formal authorisation process;

(c) test and system acceptance procedure for every change to consistat least unit test, component test and integration test;

(d) fully documented changes and expected outcome;

(e) virus checks before and after changes are made, where appropriate;

(f) back-up and restore procedures to capture the system image priorto the new environment; and

(g) explanatory exercise for user buy-in.

ICT assets component

Change control procedureshould exist for hardware,software, manualprocedure and emergencychanges

Establish effective changecontrol procedure

MyMIS


4.1.2 Equipment Maintenance

Equipment under maintenance or scheduled for maintenance can be avulnerability source. To ensure the integrity of equipment, implement thefollowing security controls:

(a) ensure correct equipment is sent for maintenance and thatmaintenance is due or necessary;

(b) maintenance conducted by authorized personnel;

(c) remove sensitive information if possible;

(d) equipment containing sensitive information when under maintenanceshould be supervised;

(e) inspect and test equipment before and after maintenance;

(f) record all faults and detail of repairs; and

(g) virus checks before and after maintenance, where appropriate.

4.1.3 Disposal of Equipment

To prevent inadvertent disclosure through disposal of equipment conduct thefollowing:

(a) erase or destroy all information regardless of sensitivity and performconfirmation. In some instances, it may be necessary to destroy theequipment; and

(b) record all disposal and method used to erase or destroy theinformation.

4.2 Operating systems

There are various categories of operating systems. The most secure operatingsystem tends to be very close and proprietary and the least secure are moreopen and known to many. The security level of operating systems is categorisedbased on well-known security standard such as the Trusted Computer SecurityEvaluation Criteria (TCSEC) also known as ‘The Orange Book’ and the CommonCriteria (CC).

It is advisable that all government computers handling Rahsia and RahsiaBesar information use trusted operating systems certified to a level equivalentto or above B1 Security of TCSEC.

Due to the fact that the operating system controls all applications runningon the computer and most technical staff is capable of manipulating theoperating controls, it is therefore prudent to prevent intentional or inadvertentsecurity breaches through the operating system. If possible, all changes tothe operating system should acquire prior approval and later be monitoredby knowledgeable security and audit personnel. An essential rule is to disallowtechnical staff other than authorised system administrators to operate amainframe, minicomputer, desktop server or have access to its operatingsystem. Where this is not feasible, close supervision is imperative.

Ensure sensitiveinformation in equipmentto be disposed isproperly erased

Secure operating systemstested against securitystandard such as TCSEC

Rahsia and Rahsia Besarshould reside on trustedOS equivalent to a B1security level or above

Only authorised systemadministrator should beallowed to access hostOS

MyMIS


4.2.1 Proprietary Issues

ICT Managers and planners should have in-depth knowledge and understandingof the implication of choosing specific operating systems and their impacton the legacy and future systems. As much as possible, the public sectorshould remain with the non-proprietary operating system to eliminate theunnecessary cost of maintenance except in instances where high securityis needed.

The right balance between security and openness must be properly definedby the assistance of security specialists and to take into consideration thebusiness needs against serious implications.

4.2.2 Shareware and Freeware Operating System Issues

The use of shareware and freeware operating system should be carefullyconsidered. Any downloaded shareware or freeware may contain maliciouscode that pose a threat to the security system of the organisation.

Downloaded shareware or freeware should not be used to process governmentdata because this may cause spreading of malicious code. If unavoidablethe shareware or freeware must be screened against such code before beinginstalled.

4.2.3 Logical Access Control

This is a set of controls employed at ICT installations aimed at permittingonly authorised access and providing fast access failure reporting. Some ofthe access control mechanisms employed is described below:

The materials can be used to formulate departmental access control policy.The ICTSO has to decide which is mandatory, optional or conditional.

4.2.3.1 Identification of Users

Users of ICT systems can be an individual or a group of users sharing thesame grouped user account. In both circumstances, users should assumeresponsibility for the security of the ICT system they are using. Some of thesteps undertaken to positively identify legitimate users of the ICT systemare:

(a) assign a unique user ID to each individual user. It is best to consultthe user on the actual ID to be used rather than assigning a pre-determined user ID. In other words allow the flexibility for the userto choose his or her own ID or provide the ability to change theID on first use;

(b) hold each and every individual accountable for all activities underthe registered user ID;

(c) ensure that there are auditing facilities to trace all user activities;and

(d) ascertain that all user IDs are created upon legitimate departmentalrequest and leave no opportunity to create unneeded user IDs.

Need to balance betweensecurity and openness

Access control isessential to preventunauthorised access andprovide fast accessfailure reporting

Steps to ensure onlylegitimate users use thesystem

MyMIS


In ensuring that unused user IDs (example due to long leave, attendingcourses, etc) are not misused:

(a) suspend all user privileges after 30 days of non-use and deleteafter 30 days suspension; and

(b) revoke immediately all privileges of users who have been re-assigned,transferred or terminated.

The system administrator should be informed on occasions where users areaway from the office for a duration of more than seven (7) days so as toenable periodic monitoring.

It is possible that security incursions might have occurred in the past withoutbeing detected. Therefore it is good practice to archive audit trails of useractivities. However, the down side of such activity is storage requirement.It is recommended that activities of users who have access to sensitiveinformation be archived.

4.2.3.2 Authentication of Users

One of the salient principles of ICT security is the authentication processthat confirms the validity of the user or point of origin of the communicationthrough the use of passwords. It is further strengthened by controls suchas the requirement for all users to make immediate reports in cases of lost,compromised, suspected loss or suspected compromised passwords.

In order to minimise password disclosure:

(a) passwords should be entered in a non-display field;

(b) be of minimum length of eight (8) characters;

(c) require and enforce that passwords be changed at least once in30 days;

(d) make available distress passwords for sensitive operations (a distresspassword is different from the normal user password and is usedas a pre-arranged signal to indicate duress or coercion);

(e) passwords shall not be shared or made known to others, includingadministrators;

(f) instruct users not to use easily guessed passwords, i.e., own names,phone numbers, date of births, common words or numbers;

(g) use combinations of both alphabets and numeric characters;

(h) all passwords should be memorised and be stored in a securedlocation if required to be written down;

(i) encrypt password during transmission, where possible;

(j) store password files separately from the main system applicationdata;

(k) prevent reuse of the user’s last four (4) passwords;

(l) prohibit the display of passwords on input, reports, or other media;and

(m) one time password - the generation of new passwords for eachsession using pre-determined information that the user possessesor knows.

It is good practice toarchive audit trails ofuser activities

Authentication is normallyby passwords

MyMIS


Proper authentication through use of dynamic passwords can be assured byimplementing some of the following measures:

(a) selecting authentication tokens that are user changeable or activatedby biometrics data;

(b) prohibiting the sharing of token PINs;

(c) ensuring that security tokens are resistant to tampering and duplication;

(d) using a different PIN from the user ID;

(e) using the PIN of minimum eight (8) length characters;

(f) randomly generated passwords to be used only once;

(g) encrypting keys and other information critical to authentication withinthe token and on the validating system;

(h) locking access after three (3) invalid tries;

(i) maintaining an inventory control on security tokens;

(j) requiring employees to acknowledge receipt of security tokens andexplain conditions of use together with consequences of misuse;

(k) taking steps to recover immediately dynamic tokens from the employeeupon reassignment or termination and terminate access privilegesassociated with the token assigned to the employee;

(l) conducting one-time challenge i.e. the ICT system challenges theauthentication of the user when users log-on. To provide the answer,a specialised (hand-held) device would normally be used whereupon input of the challenge, the authentication code is revealed.The user then proceeds to submit the authentication code. Theauthentication code is only used once and not repeated;

(m) using the digital certificate and electronic signature i.e. the use ofa trusted third party appointed by the government; and

(n) using Biometrics or the process of using a unique attribute held bythe person as a means of identifying that person including fingerprints,iris patterns, voice, face geometry, the shape and size of hands andfingers etc.

4.2.3.3 Limiting Log-on Attempts

It is recommended that log-on be limited to three (3) attempts. The user IDshould be suspended after the maximum of three consecutive unsuccessfullog-on attempts. To begin investigation of attempted log-on, use the informationdetailing the attempted log-on as a reference point. The legitimate usershould also be informed of such attempts.

Where authentication is used, there should be a time limit to verify theauthentication. It is suggested that the authentication time limit be set to two(2) minutes (depending on organisation or location of logging-on) upon whichthe session is terminated.

Maximum loggingattempts limited to 3

MyMIS


4.2.3.4 Unattended Terminals

In order to prevent unauthorised use of unattended terminals connected liveto a system:

(a) activate the authentication process after a 10 minutes lapse of inactivitybefore allowing work to continue;

(b) activate a one-button lockup or initiate shut-down sequence whenterminal is inactive;

(c) avoid storing passwords or any information that can be used to gainaccess on workstations; and

(d) implement password screen saver.

4.2.3.5 Warning Messages

It is recommended that all users be reminded of their accountability whenaccessing ICT resources. This could be done, prior to log-on, by displayinga warning against unauthorised access or improper use and the consequencesfor such activity.

4.2.4 Audit Trails

Audit trails are records of activities used to provide a means of restructuringevents and establishing accountability. The audit trail information is essentialin an investigation when problems occur.

Provide an audit trail for computer systems and manual operations when:

(a) critical information is accessed;

(b) network services are accessed; and

(c) special privileges or authorities are used, such as, securityadministration commands, emergency user IDs, supervisory functions,and overrides of normal processing flow.

Include in the audit trail as much of the following as is practical:

(a) user identification;

(b) functions, resources, and information used or changed;

(c) date and time stamp;

(d) workstation address and network connectivity path; and

(e) specific transaction or programme executed.

Provide, where practical, an additional real-time alarm for significant security-related events such as:

(a) access attempts that violate the access control rules;

(b) attempts to access functions or information not authorised;

(c) concurrent log-on attempts; and

(d) security profile changes.

Display warning againstunauthorised accessclearly

Audit trails are recordsuseful in events ofmishaps

Provide additional alarmfor security relatedevents

Ensure safety proceduresare carried out onunattended terminals

MyMIS


In such cases:

(a) investigate and report suspicious activity immediately;

(b) ensure that System Administrator reviews the audit trail informationon a timely basis, usually daily;

(c) investigate and report security exceptions and unusual occurrences;

(d) retain the audit trail information for an appropriate period of timefor business requirements; and

(e) protect audit trail information from deletion, modification, fabricationor re-sequencing, by use of Machine Access Control (MAC) or digitalsignature.

4.2.5 Back-up

In order to ensure that the system can be recovered in the event of adisaster, regular back-up should also be done whenever the configurationof an operating system is changed. This back-up must be kept in a secureenvironment.

When doing back-up, consider:

(a) document back-up/restore procedures;

(b) keeping three (3) generation of back-ups;

(c) keep back-up copies off site; and

(d) test back-up media and restore procedures.

4.2.6 Maintenance

In order to maintain, the integrity of the operating system against securitybreaches and vulnerabilities, employ the following controls:

4.2.6.1 Patches and Vulnerabilities

New vulnerabilities and bugs are constantly being discovered and oncediscovered they are broadcast and released by authorised security agenciessuch as Malaysian Computer Emergency Response Team (MyCERT), CanadianComputer Emergency Response Team (CCERT) or Australian ComputerEmergency Response Team (AusCERT) as well as software providers likeMicrosoft. It is the role of the ICTSO or System Administrator to be awareand keep abreast of this development issued by Government ComputerEmergency Response Team (GCERT) and implement the suggestions.

4.2.6.2 Upgrades

Procedures should be established to maintain the most current version ofthe operating system. However the decision to upgrade to the latest versionneed to be evaluated based on its implication to the overall system operationas well as cost incurred.

MyMIS


4.3 Application System

Within the public sector a mixture of commercially and internally developedapplication software have been installed and are in use. In general, all accessto software must always be justified and authorised.

The following controls should be implemented for the protection of softwareand the information that it processes:

4.3.1 Application Software

Within the application of the software, ICT security control should beimplemented to prevent unauthorised access, modification, disclosure, ordestruction of information. Some of the controls include:

(a) an integrated system security with an operating system access controlfacility, that allows for centralised and standardised user ID andpassword management;

(b) an established access profile structure that controls access toinformation and functions based on need-to-access requirement;

(c) consistent access controls on information that is replicated on multipleplatforms. For example if a person is allowed to have read accessto information in a certain operating system (e.g. Windows), thisread access right applies to the other operating system (e.g. UNIX);

(d) an application control that identifies specific accountability of a userusing a user ID. All transaction details should at least be loggedwith a user ID, showing time, date and activity;

(e) an information ownership incorporated system, where ownershipmay be accountability on a group or individual level;

(f) an application of the location control method that restricts accessat specified locations or areas;

(g) dual control capabilities for identified critical transactions. Example:the requirement to have two (2) persons holding a user ID andpassword to transact monetary movement; and

(h) immediate logging and report of violation messages in case ofoccurance.

4.3.2 Databases

Controls should be implemented to protect databases from unauthorisedmodification or destruction. The integrity of information stored in databasescan be maintained through the following:

(a) a database management system that ensures the integrity of updatingand retrieval of information. Concurrent control is required for user-shared databases;

(b) a controlled access to information specified by either SystemAdministrator, ICTSO or CIO; and

(c) an access control mechanism to physical information resources torestrict access to authorised information management systems,applications and users.

Databases need to beprotected fromunauthorised access

Public sector uses bothcommercial and internallydeveloped software

Implement ICT securitycontrol within applications

MyMIS


4.3.3 Systems which Employ Artificial Intelligence

Applications using artificial intelligent (AI) techniques such as automatic decision-making should include controls specific to that technology as follows:

(a) secure knowledge bases used by inference engines or similar AIprocessing techniques as well as a regular review for accuracy andeffectiveness;

(b) set a maximum limit on automatic decision making ability of Alsystems or AI sub-systems of conventional applications to ensurethat unexpected errors of failures can be determined;

(c) an AI system which is used to make highly sensitive decision mustnot be set in a totally automated mode. Instead it should act in aninteractive mode with humans to ensure that vital decisions areapproved;

(d) set controls on information used in training of neural networks basedapplications;

(e) monitor the stability of neural network based-applications foreffectiveness; and

(f) build all AI systems within programmed decision enclosures to ensurethat the control of decision-making is kept within reasonable limitsaccording to the information being processed.

4.3.4 Application Testing

One aspect of application systems development using the Software DevelopmentLife Cycle (SDLC) methodology is that of testing, which is required duringthe final stage of development. It involves the testing of a newly acquiredapplication, upgrading an application or migration from old to new hardware.This is required to ensure that systems are working according to specifications.

In order to protect information from disclosure or inappropriate processingduring application testing:

(a) use dummy or historical data for testing purposes;

(b) establish a policy that controls the use of classified informationduring application testing and use access control to limit access toappropriate personnel only;

(c) dispose of information used in the system during testing (especiallywhen using the historical data); and

(d) require the use of physically separate environments for operationaland development systems. This can be applied by establishing adevelopment environment for the developers to design, develop,test and integrate the application systems.

4.3.5 Defective and Malicious Software

Development of software can be categorised into two (2) types: internaldevelopment or outsourcing. Both cases will encounter the defective software.In most cases the defect will be determined during the testing stage.

Security controls shouldbe included in AI basedapplication system

Testing to ensureapplications functionaccording tospecifications

Protect data duringtesting

Internally developed oroutsourced software couldbe defective

MyMIS


However, to minimise the probability of latent defects in software, controlsshould be properly implemented as follows:

(a) require the software acquisition system to select vendors with agood reputation, a proven record and sufficient resources. This isan important criterion to minimise the possibility of the supply ofdefective software. It will also improve the level of confidence inthe acquisition of the software;

(b) establish a quality assurance programme and the procedure for allsoftware developed internally or acquired externally;

(c) require that all software be fully documented, tested and verifiedto its maturity, robustness and effectiveness; and

(d) if it is discovered in the future that the software provider hasinadvertently included malicious code into the software system (e.g.system may be used for international espionage or intelligencegathering on government information) then a liability clause mustbe included in the contract.

Users are required to report defective or malicious software to the helpdesk.

4.3.6 Change of Versions

Software (application, OS, utilities, tools) is upgraded regularly. New versionsare issued to ensure it is bug free and to upgrade functionalities. Howeverchanging of software versions should be controlled to maintain the integrityof the software when changes are made and this requires change controlprocedures to be followed [Refer to 4.1.1 Change Control].

4.3.7 Availability of Source Code

If the software system were developed internally, the source code would beeasily available. However, if the system is purchased off the shelf, mostvendors do not supply the source code to their customers. In order to ensurethat source code is available for debugging or enhancement, controls shouldinclude the following:

(a) establish procedures to maintain the most current version ofprogrammes written; and

(b) consider an escrow agreement for purchased software for whichsource code is not available in the event of disaster or nationalsecurity breach.

4.3.8 Unlicensed Software

Unlicensed software is illegal. The Malaysian Copyright (Amendment) Act1997 specifically prohibits the use of unlicensed software. The Ministry ofDomestic Trade and Consumer Affairs enforces this Act and monitors theuse of unlicensed software.

Usage of licensed software means software for which a license has beenissued and control of inventory such as the safe keeping of the license. Theinventory includes the physical control of the location of the licensed softwareand a copy of the license issued.

Consider escrowagreement for purchasedsoftware for which sourcecode is not available

Control and maintainintegrity of software withnew versions andupgrades

Unlicensed software isillegal

MyMIS


4.3.9 Intellectual Property Rights

The Intellectual Property (IP) right is the right to claim ownership of a document,software or other creation.

Commercial software products are usually supplied under a license agreementthat limits the use of the products to specified machines and may limitcopying to the creation of back-up copies only.

In order to prevent infringement of intellectual copyrights due to unauthorisedcopying of software on mass storage media, compliance to the MalaysianCopyright (Amendment) Act 1997 must be ensured at all times.

It is recommended that the IP rights for in-house or jointly developed softwarebe specified in the contract.

4.3.10 Malicious Code

In order to maintain the integrity of information and protect it from disclosureor destruction from malicious code such as viruses, Trojans or worms, thefollowing controls should be applied:

(a) install a system and implement a procedure to manage maliciouscode. All software acquired should be screened for such code priorto installation and use;

(b) establish a written policy on downloading, acceptance and use offreeware and shareware;

(c) authenticate software for applications using MAC or digital signature.Failure to verify indicates a potential problem and all use of thesoftware should be halted;

(d) distribute instructions on the detection of malicious code to all users;

(e) establish a policy and procedure for the checking of diskettes; and

(f) seek assistance in case of suspected infection. Assistance may besought from internal technical staff and/or vendors.

In ensuring recovery of processing capability following a malicious codeattack, certain steps need to be performed including the following:

(a) retain an original back-up copy of all software, data and informationfor the purpose of restoration; and

(b) ensure that all data are backed up regularly.

In the case of virus infection, the following steps are recommended:

(a) use the approved virus application software;

(b) scan the virus using the facility from the software;

(c) delete and/or remove the virus immediately; and

(d) check the status of the scanning from the software report log.

4.3.11 Unauthorised Memory Resident Programs

Memory Resident Program (MRP) is a program that is loaded into memorywhere it remains after it finishes its task, until it is explicitly removed or untilthe computer is turned off or reset. The program can be invoked again and

IP rights for developedsoftware should bespecified in the contract

Perform periodicinspection of installedsoftware

MyMIS


again by the users (with the aid of a hot key) or by an application. In orderto prevent unauthorised MRP, for example those that allow seemingly normalprocessing to take place but retain ultimate control over functions of theprocessing resource, perform periodic inspection of software installed toascertain whether any unauthorised software has been inserted:

(a) implement additional controls (based on business needs) such as,token-based authentication devices, security modems that can providepassword and dial-back controls or remote computing software thatcan provide password controls; and

(b) use secure remote access approved equipment.

4.3.12 Software Provided to External Parties

There may be cases where software is provided by government to externalparties such as a private company owned by the government. In order toprevent unauthorised destruction or modification of such software, the followingcontrols should be implemented:

(a) create and secure a dedicated environment for diskettes, CDs orother storage media. This should include physical and logical controlson the hardware, software and diskettes used for creation, copying,and protection; and

(b) require a written statement from distributors of software againstmalicious code.

In order to protect the public sector against claims of negligence due to theuse of provided software, ensure the following controls:

(a) execute an agreement with external parties to whom software isprovided that enumerates each party’s responsibilities, required securityduties and limits on liability; and

(b) maintain sufficient documentation to prove that the provided softwarewas not the cause of viruses or other malicious code.

4.3.13 Software from External Sources

Care should be taken to prevent software being introduced into the domainthrough software downloading facility without the specific request or consentof the department. As an example, software providers will often downloadsoftware to their customers. Another example is the downloading facility setup by vendors to distribute the latest version of the software.

In order to prevent unauthorised software from appearing in the systeminclude the following:

(a) establish procedures on the downloading of software from externalsources;

(b) organise a mechanism where downloaded software can be distributedinto a server in a demilitarised zone (DMZ) to be accessed by aSystem Administrator later; and

(c) require the firewall to include virus scanning or ensure that anyexecutable file is scanned for viruses before it is introduced intothe network.

Prevent introduction ofunauthorised softwarefrom external sourcesinto the system

Secure a dedicatedenvironment for softwareor insist on writtenstatement from vendors

MyMIS


4.4 Network System

A network is a system, which interconnects a multitude of computers andworkstations for the purpose of communications and information/resourcesharing. In keeping the various interconnected parts of the system interoperable,rules and procedures must be established. In a secure processing environment,networks have additional ‘layers’ of rules and procedures imposed, eachaddressing unique security requirements, with no one set of requirements(software or hardware) applicable to all security issues for any specific situation.

Problems could occur because there are layers of security, each very narrowlyfocused for specific conditions. In case of ever emerging systems and newequipment with greater capabilities and a multitude of abbreviations andoperating names, ‘old’ rules can be easily forgotten in favour of simple waysof dealing with security, regardless of the layers involved. This tendency hascreated both the need for increased understanding of the various securitylayers when using shared resources in multi-secure network environments,and also the need for continuing industry awareness of network securityproblems.

Customers or contractors being seriously interested in connecting togovernmental network must have all applicable security policies, standards,and procedures, before access is granted. These requirements should ensurethat minimum-security practices are always in place. Password protection forlocal file servers must be enforced for all users before access to the networkis granted. Local hosts must report all non-local site accesses. This auditingcapability should ensure unauthorised accesses are traceable.

4.4.1 Securing a Network

Poor administrative practices and the lack of education, tools, and controlscombine to leave the average system vulnerable to attack. Research promisesto alleviate the inadequate supply of tools and applicable controls. Thesecontrols, however, tend to be add-on controls. There is a need for the deliveryof secure complete systems, rather than the ability to build one from parts.The average administrator has little inclination to perform these modificationsand no idea how to perform them.

Extensive connectivity increases system access for hackers. Until standardsbecome widely used, network security will continue to be handled on asystem-by-system basis. The problem can be expected to increase if andwhen the Integrated Systems Digital Network (ISDN) is implemented withoutappropriate security capabilities.

A promising note for the future does exist. Multiple sets of tools do not needto be developed in order to solve each of the potential threats to a system.Many of the controls that will stop one type of attack on a system will bebeneficial against many other forms of attack. The challenge is to determinewhat is the minimum set of controls necessary to protect a system with anacceptable degree of assurance.

4.4.1.1 Design of a Secure Network

The design of a secure network shall consist of network elements that caterfor end-to-end security. The design must first undergo a process of securityassessment during which the organisation states its aims and objectives,scope of security and whether there is a need for end-to-end security, inter-network security or security at the internal systems only. From here theorganisation then combines the business needs and network risk analysis.

Measures to protectnetwork equipment

Add-on controls

Ensuring end-to-endsecurity for a securenetwork

MyMIS


The next step is to identify and determine the assets that need to be protected,including the information types, where and the degree/level of security protectionneeded. After all assets and their security requirements are determined, thenetwork and systems architecture to support the different objectives andaims has to be established, taking into account the security needs of eachsystem and application.

The design must also identify potential threats and vulnerabilities, and establishthe preventive systems, policies and procedures to protect the information.The finished design can take many forms but for the purpose of these guidelines,a generic architecture is described as in the figure below:

Ensuring a range ofappropriate securitycontrols

Figure 4.1: Generic Network Security Architecture

Key :ES = End System RS = Relay SystemLN = Local Network LE = Local Environment

From Figure 4.1 above, the generic network security architecture applies toany network-to-network connectivity. The most vulnerable part of the networkis RS where the router and switches are located. It is at this point of thenetwork that security gateways are normally placed in the form of firewallsor other security equipment that cater for data encryption, data originauthentication, data integrity and access control. All these must also beincluded based on the requirements identified during the security assessmentprocess.

The security gateways can be a simple firewall that separates connectionsto other networks and the two network zones; namely the DMZ and thesecure zone. It may also include VPN modules and/or encryptors/decryptors.

The other considerations at the department’s client premise include the needto have Intrusion Detection System (IDS), virus scanners and data encryptionat the local environment (LE). The decision to use IDS is also subject torequirements that are determined during security assessment.

4.4.1.2 Network Security Controls

Appropriate controls should be established to ensure security of data inprivate and public networks, and the protection of connected services fromunauthorised access.

A range of security controls is required in computer networks. Individualusers should be aware that connecting their computer to the network couldallow unauthorised access to private data if appropriate controls are notestablished. Documentation should be available to the user detailing howto adequately secure their data should they wish to make it available on anetwork.

MyMIS


Network managers should ensure that appropriate controls are establishedto ensure the security of data in networks, and the protection of connectedservices from unauthorised access. Special attention is required to protectsensitive data passing over public networks like the Internet.

4.4.2 Security of Network Equipment

In order to effectively include security in the procurement process of networksystems or equipment, it must be integrated into the procurement cycle fromits inception. Sufficient information about the procurement cycle is includedto allow a person not familiar with the procurement process to understandthe need for incorporating computer security into the procurement cycle.

Acquisition planning can only begin after an agency has determined that aneed exists. The need determination phase is very high-level in terms offunctionality. No specifics of a system are defined here. The idea for a newor substantially upgraded system and the feasibility of the idea need to beexplored. During this early phase of the acquisition, the definition of thesecurity requirement should begin with the preliminary sensitivity assessment.

The preliminary sensitivity assessment should result in a brief qualitativedescription of the basic security needs of the system. These should beexpressed in terms of the need for integrity, availability, and confidentiality.This does not require an elaborate sensitivity analysis scheme, but mustinclude an assessment of the significance of the systems. Legal implications,federal policy, agency policy, and the functional needs of the system helpdetermine the sensitivity of a system. Factors including the importance ofthe system to the agency mission and the consequences of unauthorisedmodification, unauthorised disclosure or unavailability of the system or datashould be considered when assessing sensitivity.

4.4.2.1 Installation Security

After undergoing a security check during the procurement process, anyequipment that is to be installed must have undergone a Factory AcceptanceCheck (FAC), prior to installation, and then configured.

4.4.2.2 Physical Security

The following standards of physical security must be observed:

(a) premises housing network control equipment must be physicallystrong and free from unacceptable risk such as flooding, vibration,dust, etc;

(b) air temperature and humidity must be controlled to within equipmentdefined limits; and

(c) network electronics must be powered via Uninterruptible Power Supply(UPS) to provide the following:

i. minimum of 15 minutes’ operation in the event of a powerblackout; and

ii. adequate protection from surges and sags.

Pre-installation securitycheck

Ensuring physical security

MyMIS


4.4.2.3 Physical Access

(a) Network Cabling Access

As far as practical, network infrastructure must be protected fromunauthorised access. Tools are readily available which allow networkports to be monitored, or the operation of the network to be disrupted.In order to minimise the risk of network interference considerationshould be given to:

i. protecting cabling in public areas with conduits or otherprotective mechanisms;

ii. in a structured wiring area, ensure that network and telephonepoints that are not in use have been detached from the activenetwork or telephony equipment;

iii. telephony and networking risers and data cabinets can onlybe accessed by authorised personnel;

iv. information, which is being transferred over a less securenetwork (e.g. the Internet) is encrypted; and

v. highly accessible access points such as networked modemsshould have associated and appropriate security mechanisms.

(b) Network Equipment Access

All network equipment should be placed in physically secure areas.This includes, but is not limited to, backbone and access routers,hubs, bridges, and gateways. Network file servers are covered bythis policy as well, especially when acting as a router between LANtypes, such as Ethernet to Token Ring. Networking equipment shouldnot be placed in an office environment. Rather, such equipmentshould be placed in the communications room of the office buildingbeing served, and access restricted to authorised personnel. Inaddition:

i. access to areas housing network electronics shall be controlledby designated ICTSO; and

ii. doors to areas housing network electronics should be lockedwith a unique key, the distribution of which will be determinedby the ICTSO.

4.4.2.4 Logical Access

(a) An ID and password should be required to gain access to routersoftware. Only authorised personnel should be provided access,along with the minimal privileges required for performing the necessarytasks. The ICTSO administers the creation of the router IDs, passwordsand privileges. Proper management authorisation should be requiredfor all access requests. A list of these ‘management authorisers’must be maintained and updated at least once a year. Requestsfor access must be maintained for the life of the IDs.

(b) Password composition and maintenance must be consistent withthe guidelines. Passwords must be changed approximately every30 days, as well as after security events, in emergency situations,when an employee transfers, or any other incident in which thepassword may be compromised.

Protection againstunauthorised access

MyMIS


(c) All access to routers must be logged and maintained, including theperson, time of day, and nature of activity. This information mustbe maintained for 90 days. Daily audit trails are to be monitoredfor unauthorised access attempts. Managers will take appropriateaction with respect to all unauthorised access attempts.

(d) The network should only accept traffic from properly registeredaddresses. All router software changes must be logged, includingthe person making the change, management approval of the change,date and time. Access via modem will be accommodated only understrictly controlled conditions.

(e) Router configuration change authority is to be centrally managed.All routers should have active filter tables to ensure that only authorisedaccess is allowed. In environments where information is especiallysensitive, additional precautions may be required, such as dataencryption, and security gateways. These precautions should betaken as requested or required, and will be offered as additionalservice to the base level.

4.4.2.5 Unauthorised Use of Equipment

The unauthorised use or interruption of network equipment can be preventedby:

(a) controlling access to network equipment by logical access controlslisted above;

(b) locating network equipment in a physically secure environment;

(c) erecting a physically secure wiring closet, accessible only by authorisedpersonnel;

(d) routing network cabling underground or through conduits, whereverpossible;

(e) maintaining an inventory of network equipment, which is periodicallyreviewed; and

(f) prohibiting the use of any unauthorised modem.

4.4.2.6 Equipment Configuration

On critical network subnets, it is absolutely important to correctly configurenetwork equipment. It is imperative to check for the following:

(a) enable only needed services;

(b) restrict access to configuration services by port/interface/IP address;

(c) disable broadcasts;

(d) choose strong (non default) passwords;

(e) enable activity logging; and

(f) carefully decide who should have user/enable/administration access.

4.4.2.7 Equipment Maintenance

Equipment should be installed, operated and maintained according to themanufacturer’s specifications. Properly qualified personnel should carry outmaintenance.

Controlling unauthoriseduse of equipment

Ensure correctconfiguration ofequipment

Proper maintenance ofequipment

MyMIS


Equipment should:

(a) be installed and operated within the manufacturer’s specifications;

(b) be maintained in accordance with the manufacturer’s recommendedservice intervals and specifications;

(c) be repaired and serviced only by properly trained and authorisedservice personnel; and

(d) have a maintenance record of all faults or suspected faults. Notonly does this aid the diagnosis and repair procedure, but may beused to document warranty and other claims.

Ensure that the integrity of security controls is maintained during equipmentmaintenance by:

(a) allowing modifications to be made only by authorised personnelwithin established maintenance procedures;

(b) insisting on testing of controls, both before and after maintenancechanges;

(c) maintaining a record of all faults or suspected faults;

(d) ensuring virus checks are made where appropriate; and

(e) tamper-protecting components which store sensitive information.

4.4.2.8 Disposal of Equipment

In order to prevent disclosure of sensitive information through disposal ofequipment conduct the following:

(a) check all equipment containing storage media for sensitive informationprior to disposal;

(b) perform a risk assessment on damaged equipment to determine ifit should be destroyed, repaired or discarded; and

(c) ensure storage media undergo a secure erasure procedure prior todisposal.

4.4.3 Securing Different Modes of Communications

Different modes of communications discussed in this section include wiredand fixed network, wireless communications, microwave communications andsatellite. These different modes pose different types of security threats andways of prevention as discussed below.

4.4.3.1 Wired Network

A wired Network is a network that uses the conventional copper or morerecently, the optical fibre as the medium of communication. Presently, thewired network is the most predominant in the networking world as can beseen in the next paragraph.

Apart from the telephone private networks, one of the fastest growing sectoris the area of Local Area Network (LAN). An area that is growing at an evenfaster rate is the product that links multiple LANs together. Hence, today theInternet is seen as an explosion of networks inter-linking thousands andmillions of LANs. Today these networks are interconnected through physicalwires or cables, especially LANs. However, the availability of wireless LANswill certainly change the future network environment.

Security threats fromdifferent modes ofcommunications

Proper disposal ofequipment to preventdisclosure of sensitiveinformation

MyMIS


4.4.3.2 Wireless Communication

Wireless applications involve the technology of presenting anddelivering wireless communication information to and from telephonyterminals, other wireless terminals, within a LAN and within networks.A wireless application is utilised when a telephony terminal, e.g.mobile phone communicates with a server installed in the mobile telephonynetwork.

Wireless LAN systems are usually made up of a cell or group of cells thatcontain several wireless station adapters in each of them. Each cell is controlledby an Access Point, (a device that is usually connected to an existing backbone),and which manages all the traffic within the cell. Station adapters within thecoverage area of an access point (i.e. the cell) can communicate betweenthemselves, or gain access to wired LAN resources through the accesspoint. Station adapters associated with an access point are synchronisedwith it by both frequency and clock, so they can transmit and receivedata to and from the access point. The same rule applies for interception- in order for someone to intercept the data one must be within the coveragearea of the cell and be synchronised with the access point.

There are two types of wireless protocols that are widely used today. DirectSequence (and also narrow band) wireless LAN systems work in a predefinedconstant frequency, i.e. when the user buys an access point or a stationadapter it is working in a certain constant frequency. In this case it is easierto detect the frequency of the carrier wave and to synchronise with it. WithFrequency Hopping systems, the frequency of the carrier wave is continuouslychanging. It is difficult to detect the current frequency of transmission andeven if it is possible, it changes within milliseconds.

Secure wireless connection can be assured by:

(a) implementing a secure wireless protocol that will uphold data integrity,privacy, authentication and protect from denial-of-service;

(b) providing controls for the detection and reporting of droppedcommunications and timely termination of all associated sessions;and

(c) requiring re-authentication when wireless connection drops occur.

Eavesdropping of the wireless signalling can be prevented by:

(a) establishing a policy setting out conditions under which wirelessaccess is permissible;

(b) implementing, where business needs dictate, additional controls suchas, frequency hopping;

(c) encrypting classified information during electronic transmission; and

(d) protecting passwords by encryption.

Corruption or modification of information during transmission can be detectedby authenticating information with digital signature. Establishing a procedurefor safeguarding and use of wireless equipment can prevent unauthoriseduse or interruption of wireless equipment such as wireless network accessequipment, wireless PC cards and Wireless Applications Protocol (WAP)enabled devices.

MyMIS


4.4.3.3 Microwave Communication

Some parts of the government network will include microwavecommunications systems as part of the overall infrastructure.Microwave equipment uses ‘focused’ transmission techniquesbetween transmitting and receiving dishes. Microwavecommunication is basically a Frequency Modulation (FM) radioat a specific frequency and modulation. It is a point-to-point ofline-of-sight communications.

A security procedure should be established to ensure secure microwavecommunications as follows:

(a) data encryption - a clear procedure on data/information transmission;

(b) physical access - access to communications equipment (networkfacilities) should be controlled and restricted;

(c) provide controls for monitoring, detecting and reporting of droppedcommunications due to Radio Frequency Interference (RFI), weathereffects, etc; and

(d) provide control over acquisition processes by ensuring appropriateequipment is purchased.

4.4.3.4 Satellite

The primary role of a satellite is to reflect electronic signals. In the caseof a telecom satellite, its primary task is to receive signals from one groundstation and send them down to another ground station located a considerabledistance away from the first. This relay action can be two-way, as in thecase of a long distance phone call.

Another use of the satellite is when, as is the case with television broadcasts,the ground station’s uplink is then downlinked over a wide region, so thatit may be received by many different customers possessing compatibleequipment. Still another use for satellites is observation, wherein the satelliteis equipped with cameras or various sensors, and it merely downlinks anyinformation it picks up from its vantage point.

The advantage of satellite communications is a high degree of reliability andavailability. Furthermore, satellite operator normally add back-up satellitesto further enhance the already high degree of redundancy. There is also veryminimum number of points where network security vulnerabilities exist (i.e.the satellite itself and the ground station). However, satellite communicationsnormally co-exist with fixed network communications. This requires securitymeasures and procedures to be applied according to the fixed networkguidelines.

4.4.4 User Accessibility

As a general rule, the assignment of network access privileges and controlof proxy accounts and default network accounts for all network users shallbe centrally controlled, authorised and documented.

The material presented below may be used to formulate a policy on networkservices.

Assigning useraccessibility

MyMIS


4.4.4.1 Local Area Network

Within the boundaries of the LAN, intrusion protection is required to prevent:

(a) government employees from indiscriminately plugging laptop computersinto any access port of the LAN;

(b) unauthorised access of government employees to strategic systems,by ensuring that:

i. only those computers belonging to the Government will beallowed to function when connected to the LAN. Visitingpersonnel wishing to access the network must haveauthorisation from the system administrator, who must applyto the ICTSO for temporary access rights; and

ii. no unauthorised user should be allowed network access tostrategic computing systems.

Insider attacks or unauthorised access to internal networks can be preventedby the following measures (note: most attacks come from the inside):

(a) no ‘sniffer’ or ‘network analyser’ software is to be allowed on anyPC unless it has been authorised by the network manager inconsultation with the ICTSO. The status of these machines shouldbe reviewed yearly;

(b) on systems, where such software utility is standard, the softwareshould either be deleted or permissions changed so that it can onlybe used by root. In this case the user must not have access to theroot account; and

(c) installing a packet filter/firewall between internal networks and classsystems.

Hubs, bridges and routers are getting very intelligent, with more and moreconfiguration options and are increasingly complex. This is useful for additionalfeatures, but the added complexities increase the security risk.

4.4.4.2 Remote Access

Remote access is the capability to access information-processing resourcesvia public or private networks. In order to ensure that remote access controlsare not compromised the following need to be adhered to:

(a) establish a policy stating the conditions where remote access ispermissible;

(b) implement additional controls (according to business needs) suchas token-based authentication devices, security modems that canprovide password and dial-back controls or remote computing softwarethat can provide password controls;

(c) require written permission when external access is absolutelynecessary. These external connections can be classified as incomingor outgoing; and

(d) use secure remote access approved equipment.

Examples of incoming connections are:

(a) dial-up access for organisation / partners;

(b) dial-up access for ICT staff and directors;

MyMIS


(c) access from universities (co-ordination on research projects);

(d) Internet e-mail;

(e) enterprise WWW server; and

(f) Electronic Data Interchange (EDI).

Examples of outgoing connections are:

(a) access to vendor bulletin boards (for getting information, drivers);

(b) customer connections (providing special services to public);

(c) Internet e-mail;

(d) normal Internet access: WWW e.g. Netscape/Internet Explorer viaproxy server;

(e) special Internet access: e.g. Archie, ftp, news, telnet, gopher andWAIS; and

(f) EDI.

External contractors must also comply with the public sector’s ICT SecurityPolicy. In addition, the department needs to:

(a) execute a written agreement with external parties identifying securityroles and responsibilities;

(b) establish a procedure requiring the intervention of an authorisedemployee to enable/disable a remote access session; and

(c) review activity logs of each remote access session.

4.4.4.3 Dial-up Access

Systems accessible from dial-up terminals are particularly vulnerable tounauthorised access since the call can be initiated from virtually any telephoneinstrument. Official users of dial-up facilities must be distinguishable frompublic users if they are to be given access rights greater than those givento public users.

For services other than those authorised for the public, users of dial-upterminals shall be positively and uniquely identified and their identityauthenticated (e.g., by password) to the systems being accessed.

For dial-up services other than those authorised for public use, the followingshould be considered:

(a) dial-up numbers should be unlisted and changed periodically;

(b) at a minimum, dial-up facilities should be provided with either:

i. an automatic hang-up and call-back feature, with call-back toonly pre-authorised numbers; or

ii. authentication systems that employ smart card/tokenauthentication.

(c) a port protection device (PPD) connected to communications portsof a host computer is typically capable of providing:

i. authentication and access control decisions;

ii. automatic hang-up and call-back to originator; and

iii. attack signalling and event logging.

MyMIS


(d) security may be enhanced by instituting a two-person passwordprocedure. One person’s password gains access to the host andthe other person’s password gains access to the application. Underthis procedure, neither acting alone can gain access to the applicationthrough dial-up; and

(e) a high level of dial-up security combines the call-back feature witheither password authentication (an encryption key entered by theindividual or smart card/token authentication) and terminal identification(an encryption key embedded in the hardware), with all data exchangedon-line being encrypted.

For dial-up facilities authorised for public use, take into consideration thefollowing:

(a) systems which allow public access to the host computer requirestrengthened security at the operating system and applications levelto reduce the likelihood of public intrusion into non-public applications.Such systems also should have the capability to monitor activitylevels;

(b) ensure public usage does not unacceptably degrade systemresponsiveness for official functions; and

(c) systems which identify public users on the basis ofcommunications port usage provide only minimal security since theyare highly vulnerable to mistakes through erroneous hardwareconnections.

4.4.4.4 Virtual Private Networks

A virtual private network (VPN) is a private data network that makes useof the public telecommunication infrastructure, maintaining privacy throughthe use of a tunnelling protocol and other security procedures. A VPN issimilar to a system of owned or leased lines that can only be used by anorganisation.

The idea of the VPN is motivated by the need for secure communicationbetween computer networks in different locations with the same capabilitiesat much lower cost by using shared public infrastructure rather than a privateone. This is especially important for government agencies that need connectivitybetween geographically distributed branch offices.

VPNs allow a trusted network to communicate with another trusted networkover untrusted networks such as the Internet. Since some firewalls provideVPN capability, it is necessary to define the policy for establishing VPNs.

Any connection between firewalls over public networks shall use encryptedVPNs to ensure the privacy and integrity of the data passing over the publicnetwork. All VPN connections must be approved and managed by the SystemAdministrator. Appropriate means for distributing and maintaining encryptionkeys must be established prior to operational use of VPNs.

Due to sharing of resources, a government agency that wishes to employa VPN should have the following:

(a) a firewall located at a network gateway that protects the resourcesof a private network from users of other networks. Firewalls areimplemented at the session layer of the network. This is to filteraccess and block unwanted users from the system. Therefore,government agencies should have defined policies, where changeof policies are driven by the changing security requirements of thoseagencies;

MyMIS


(b) a firewall is installed in a specially designated computer separatefrom the rest of the network so that no incoming request can getdirectly at private network resources;

(c) allow to securely connect branch offices, telecommuters, mobileusers, and selected parties to be securely connected to data resourcesby taking advantage of the cost effectiveness of the Internet; and

(d) remote users be given controlled access to selected servers (enforcedpath) and applications on the network or DMZ.

4.4.5 Connection with other Networks

With regard to other network connections some of the following should beundertaken to ensure ICT security is maintained:

(a) obtain specific authorisation from the ICTSO for connection to networksnot under the organisation’s control;

(b) establish written policies and procedures for connection to externalnetworks; and

(c) impose on the security policy of the external provider requiring itto be verifiably as strong as the organisation’s own network securitypolicy.

Outside penetration or unauthorised access of the network can be preventedby:

(a) using fibre optics for internal cabling rather than the UTP cablesbecause they are very difficult to interrupt or sniff (especially forvery secure environment);

(b) minimising the installation of network protocols e.g. do not installNetBEUI on sub-netted networks, use TCP/IP & WINS servers instead;

(c) avoiding the use of Workgroups (i.e. disable workgroups). This isbecause workgroups support share-level security, but not user-levelsecurity. Organisations are advised to use Domains (LAN-Manager,NT) or NFS instead; and

(d) disabling floppy boot in PC client’s BIOS set-up. Furthermore, PCclients should not be used as ftp or http servers.

4.4.5.1 Integrity of Connections

The capture of a session during accidental or intentional communication linedrops can be prevented by:

(a) providing network controls for the detection and reporting of droppedcommunications lines and timely termination of all associated computersessions; and

(b) adding a procedure that requires re-authentication when line dropsoccur.

4.4.5.2 Firewalls

The increased use of the Internet has made computer technology moreuseful but on the other hand, has resulted in the networking environmentbecoming more dangerous. This is because the Internet now also presentsunprecedented opportunity for attack. Any computer user can subscribe toan Internet Service Provider (ISP) and become a true network ‘node’. Asa result there is no control over who can be on the Internet or what theyuse it for.

MyMIS


There is a dire need to protect systems on the Internet from both knownand unknown assaults from a vast pool of attackers. What can generally beused to protect users from outside attacks can take the form of a firewall.

A firewall can be defined as a collection of components deployed betweentwo networks that collectively have the following properties:

(a) all traffic from inside to outside, and vice-versa, must pass throughthe firewall; and

(b) only authorised traffic will be allowed to pass, as defined by thelocal ICT security policy.

A well-designed firewall is able to protect an organisation’s network and ICTresources as well as those communicating partners’ networks interconnectedthrough the same firewall. Attacks from within the institution’s network, orthat of its communicating partner, must be addressed by using other securityfacilities.

Firewalls specified for use in a secure governmental institution should bedesigned for the following considerations:

(a) strong authentication and identification;

(b) a high degree of confidence of knowing who an institution is dealingwith. A secure identification of the communication partner must precedeany authorisation to conduct business. The ability of identifying whois using a system is required to prevent unauthorised use and toaid investigation of attacks;

(c) audit and archive requirements;

(d) the activity through a firewall contains information, which must bearchived for a certain time to provide evidence, if necessary. Auditablesecurity-related events also must be properly captured;

(e) availability;

(f) only reliable services should be provided;

(g) confidentiality; and

(h) confidence that governmental information will remain mandatorilyprotected.

Due to the fact that the Internet environment is constantly changing, it isdifficult to specify exhaustively all the requirements for firewalls. However,the following suggestions, where applicable, should form the basis of properfirewall selection and implementation:

(a) Technical Design i. All connections to the institution’sAxioms networks must be properly

controlled;

ii. No IP packets will be exchangedbetween networks and the Internetexcept through the connectionestablished through the firewall;and

iii. Traffic is exchanged through thefirewall at the application layeronly. Institution’s hosts,whichsupport incoming service requestsfrom the public through the Internetwill sit outside the firewall.

Suggestions for properselection andimplementation of firewall

MyMIS


Application Server)

(b) Firewall Attributes i The firewall systems wil l beimplemented to work within theconstraints of internal networkrouting technical features;

ii. The firewall must enforce aprotocol discontinuity at thetransport layer;

iii. The firewall must not switch anyIP packets between the protectedand unprotected networks;

iv. The firewall must hide the structureof the protected network;

v. The firewall must provide an audittrail of all communications to orthrough the firewall system andwil l generate alarms whensuspicious activity is detected;

vi. The firewall system must use a‘proxy server ’ to provideapplication gateway functionthrough the firewall;

vii. Routes through the firewall mustbe statically defined and thefirewall configuration protected;

viii. The firewall must not acceptsession initiation from the publicInternet;

ix. The firewall system must defenditself from direct attack;

x. The firewall must be structuredso that there is no way to bypassany firewall component; and

xi. The firewall must include anapplication ‘launch server ’ tosupport application connectionsfrom user systems to Internetservices.

(c) Proxy Server Attributes i. The proxy server acts as anapplication gateway;

ii. The proxy server hides internaldetails of the protected networkfrom the public Internet;

iii. The proxy server does not switchany network level packets;

iv. The proxy server logs all activityin which it is involved; and

v. There are no user accounts onthe proxy server itself.

(d) Launch Server i. The launch server houses onlyAttributes (Web Based client applications;

ii. User logins on the launch servermust be different from the user’s‘home account’; and

MyMIS


iii. Where possible, the launch servershould be based on a hardwareand software platform differentfrom the user’s home systems.

4.4.5.3 Public Users

Where public users are authorised access to networks or host systems,these public users as a class must be clearly identifiable and restricted toonly services approved for public functions. Employees who have not beenassigned a user identification code and means of authenticating their identityto the system are not distinguishable from public users and should not beafforded broader access.

4.4.5.4 Distributed Network Access

Owners of distributed information resources served by distributed networksshall prescribe sufficient controls to ensure that access to those resourcesis restricted to authorised users and uses only. These controls shall selectivelylimit services based on:

(a) user identification and authentication (e.g., password, smart card/token);

(b) designation of other users, including the public where authorised,as a class (e.g., public access through dial-up or public switchednetworks), for the duration of a session; or

(c) physical access controls.

In a distributed network access to distributed processing systems and LAN,the following are recommended:

(a) authorisation at network entry should be made on the basis of validuser identification code and authentication (e.g., password, smartcard/token) and should be provided under the framework of networkservices and controlled by the network management programme;

(b) network access should be controlled as close to the physical pointof network entry as possible;

(c) connections between users on a network should be authorised bythe host or the network node security manager programme, asappropriate;

(d) the designated manager of an independent network host serves thedual role as owner of the network system and as custodian of dataunder another’s ownership while the data is being transported bythe network;

(e) the host security management programme should maintain currentuser application activity authorisations through which each requestmust pass before a connection is made or a session is initiated;

(f) all unauthorised attempts (successful or otherwise) to access ormodify data through a communication network should be promptlyinvestigated; and

(g) if unauthorised access or modification of data occurs, the agencyshould promptly review its existing security system, including itsinternal policies and procedures. Appropriate corrective actions shouldbe planned for and established to minimise or eliminate the possibilityof recurrence. Employees may also need to be reminded of existingor revised procedures.

MyMIS


Government departments provide services to the public. In many cases membersof the public require access to public sector ICT systems. In order to protectagainst unauthorised access from external users, the public domain informationshould be held separate (if possible) from corporate information. All accessfrom external users is required to be routed through the department’s firewall.

4.4.6 Protection during Transmission

Classified information must be prevented from disclosure during transmissionby:

(a) encrypting classified information during electronic transmission; and

(b) protecting passwords by encryption during transmission, wherepossible.

Classified information must be protected from being corrupted or modifiedduring transmission by authenticating information through approved digitalsignature.

4.4.6.1 Uploading & Downloading within Intranet

Uploading and downloading allow users to receive and send electronic filesin a point-to-point manner. This service is developed to ease exchanging ofdocument between two parties via electronic file transfer. It can create, replace,delete or copy document from one another.

Controls that should be implemented to protect uploading and downloadingare as follows:

(a) Authorised User

Only authorised users are to perform uploading or downloading andthis can be assured by restricting access to this service capabilityby logical access control;

(b) Physical Protection

The following can prevent destruction of information and informationprocessing capability through access of equipment providing uploadingand downloading services:

i. restricting physical access to information processing resourcessupplying uploading and downloading services;

ii. uploading and downloading services should reside in theirown host;

iii. the service offered for external use should not be hosted inthe same server or co-located with services offered for internaluse; and

iv. uploading and downloading services for external use withweak or no security features should be prohibited.

4.4.6.2 Uploading & Downloading to/from the Internet

Uploading and downloading to/from the Internet is aimed at providing thecapability to search for information related to business needs. Individualsand groups with such functions will be provided with Internet access capabilities.

MyMIS


4.4.7 Network Monitoring

Network vulnerabilities are those that can be exploited, whenever a systemhas the capability to electronically send information to or receive informationfrom another system.

These vulnerabilities exist primarily in two areas:

(a) interception of information during transmission; and

(b) non-detection of improper messages and message headers receivedby the system.

Whenever the system is used to electronically send information to or receiveinformation from another computer system, there is a chance that the informationwill be intercepted while en route. Therefore, steps should be taken to ensurethat no information is compromised during transmission.

4.4.7.1 Problems to be Monitored

ICT based systems face new challenges not found under paper-basedenvironment. Information been digital in nature is susceptible to a series ofvulnerabilities such as:

(a) Trojan Horse and covert channel

i. Vulnerabilities

• disgruntled valid users;

• computer equipment is located in open areas;

• client stations are not password protected at boot time;

when users are away from their computers, they tendto leave them still logged in to the network; and

• highly vulnerable network.

ii. Safeguards

• minimum reliability checks done on all employees;

• auditing of access to data;

• access to user accounts limited by client stations address(Novell feature); and

• ACLs are set in such a way that all the executablesstored on the network can only be executed, i.e. theycannot be copied, deleted or modified.

(b) Eavesdropping

i. Vulnerabilities

• connections made with unshielded twisted-pair cables;

• no tempest or low emanation equipment used;

• monitors located beside windows;

• printers located in open areas and close to windows;and

• Ethernet topologies are used (data is broadcasted onnetwork segments); and

ii. Safeguards

• physical access control; and

• fibre optics used.

Preventing exploitation ofnetwork vulnerabilities

MyMIS


(c) Virus on the Network

i. Vulnerabilities

• no virus scan or virus detection tool implemented;

• numerous uncontrolled external network connectionsvia client stations;

• network start-up files are stored on each client stations;and

• placement of monitors/printers.

ii. Safeguards

• installation of virus scanning tools;

• access control features, which provide protection againstunauthorised access to the network;

• weekly back-ups;

• security procedures such as stating that floppy diskettesexternal to the network should not be used on clientstations; and

• encryption

(d) Intruders

Insiders and hackers are the main components of the human threatfactor. Insiders are legitimate users of a system. When they usetheir access rights to circumvent security, this is known as an insiderattack. Hackers, the most widely known human threat, are peoplewho enjoy the challenge of breaking into systems.

(e) Insider Attacks

The primary threat to computer systems has traditionally been theinsider attack. Insiders are likely to have specific goals and objectives,and have legitimate access to the system. Insiders can plant TrojanHorses or browse through the file system. This type of attack canbe extremely difficult to detect or protect against.

The insider attack can affect all components of computer security.Browsing attacks the confidentiality of information on the system.Insiders can affect availability by overloading the system’s processingor storage capacity, or by causing the system to crash.

These attacks are possible for a variety of reasons. On manysystems, the access control settings for security-relevant objects donot reflect the organisation’s security policy. This allows the insiderto browse through sensitive data or plant Trojan Horses. The insiderexploits operating system by planting bugs to cause amongst othersthe system to crash.

The actions are undetected because audit trails are inadequate orignored.

(f) Hackers

The definition of the term ‘hacker’ has changed over the years. Ahacker was once thought of as any individual who enjoyed getting

MyMIS


the most out of the system he was using. A hacker would use asystem extensively and study the system until he became proficientin all its nuances. This individual was respected as a source ofinformation for local computer users; someone referred to as a‘guru’ or ‘wizard’. Now, however, the term hacker is used to referto people who either break into systems for which they have noauthorisation or intentionally overstep their bounds on systems forwhich they do not have legitimate access.

Methods used by hackers to gain unauthorised access to systemsinclude:

i. password cracking;

ii. exploiting known security weaknesses;

iii. network spoofing; and

iv. ‘social engineering’.

The most common techniques used to gain unauthorised systemaccess involve password cracking and the exploitation of knownsecurity weaknesses. Password cracking is a technique used tosurreptitiously gain system access by using another user’s account.Users often select weak passwords. The two major sources ofweaknesses in passwords are easily guessed passwords based onknowledge of the user (e.g. wife’s maiden name) and passwordsthat are susceptible to dictionary attacks (i.e. brute-force guessingof passwords using a dictionary as the source of guesses).

Another method used to gain unauthorised system access is theexploitation of known security weaknesses. Two types of securityweaknesses exist: configuration errors, and security bugs. Therecontinues to be an increasing concern over configuration errors.Configuration errors occur when a system is set up in such a waythat unwanted exposure is allowed. Then, according to theconfiguration, the system is at risk from even legitimate actions. Anexample of this would be that if a system ‘exports’ a file systemto the world (makes the contents of a file system available to allother systems on the network), then any other machine can havefull access to that file system (one major vendor ships systems withthis configuration).

Security bugs occur when unexpected actions are allowed on thesystem due to a loophole in some application programme. An examplewould be sending a very long string of keystrokes to a screen-locking programme, thus causing the programme to crash and leavingthe system inaccessible.

A third method of gaining unauthorised access is network spoofing.In network spoofing a system presents itself to the network as thoughit were a different system (system A impersonates system B bysending B’s address instead of its own). The reason for doing thisis that systems tend to operate within a group of other ‘trusted’systems. Trust is imparted in a one-to-one fashion; system A trustssystem B (this does not imply that system B trusts system A). Impliedwith this trust, is that the system administrator of the trusted systemis performing his job properly and maintaining an appropriate levelof security for his system. Network spoofing occurs in the followingmanner: if system A trusts system B and system C spoofs(impersonates) system B, then system C can gain otherwise deniedaccess to system A.

MyMIS


‘Social engineering’ is the final method of gaining unauthorised systemaccess. People have been known to call a system operator, pretendingto be some authoritative figure and demanding that a password bechanged to allow them access. One could also say that usingpersonal data to guess a user’s password is social engineering.

4.4.7.2 How to Overcome Insider Attacks and Hackers

Today, desktop workstations are becoming the tool of more and more scientistsand professionals. Without proper time and training to administer thesesystems, vulnerability to both internal and external attacks will increase.Workstations are usually administered by individuals whose primary jobdescription is not the administration of the workstation. The workstation ismerely a tool to assist in the performance of the actual job tasks. As aresult, if the workstation is up and running, the individual is satisfied.

This neglectful and permissive attitude toward computer security can be verydangerous and has resulted in poor usage of controls and selection of easilyguessed passwords. As these users become, in effect, workstationadministrators, this problem will be compounded by configuration errors anda lax attitude towards security bugfixes. In order to correct this, systemsshould be designed so that security is the default and personnel should beequipped with adequate tools to verify that their systems are secure.

Of course, even with proper training and adequate tools threats will remain.New security bugs and attack mechanisms will be employed. Proper channelsdo not currently exist in most organisations for the dissemination of securityrelated information. If organisations do not place a high enough priority oncomputer security, the average system will continue to be at risk from externalthreats.

System controls may not matched well to the average organisation’s securitypolicy. As a direct result, the typical user is permitted to circumvent thatpolicy on a frequent basis. The administrator is unable to enforce the policybecause of the weak access controls, and cannot detect the violation ofpolicy because of weak audit mechanisms. Even if the audit mechanismsare in place, the daunting volume of data produced makes it unlikely thatthe administrator will detect policy violations.

On-going research in integrity and intrusion detection promises to fill someof these gaps. Until these research projects become available as products,systems will remain vulnerable to internal threats.

Connectivity allows the hacker unlimited and virtually untraceable access tocomputer systems. Registering a network host is akin to listing the system’smodem phone numbers in the telephone directory. No one should do thatwithout securing his or her modem lines (with dial-back modems or encryptionunits). Yet, most network hosts take no special security precautions fornetwork access. They do not attempt to detect spoofing of systems; theydo not limit the hosts that may access specific services.

A number of partial solutions to network security problems do exist. Examplesinclude Kerberos, Secure NFS, RFC 931 authentication tools and ‘tcp wrapper’programmes (access controls for network services with host granularity).However, these tools are not widely used because they are partial solutionsor because they severely reduce functionality.

MyMIS


New solutions for organisations are becoming available, such as the DistributedIntrusion Detection System (DIDS) or filtering network gateways. DIDS monitorsactivities on a subnet. The filtering gateways are designed to enforce anorganisation’s network policy at the interface to the outside network. Suchsolutions may allow the organisation to enjoy most (if not all) of the benefitsof network access and at the same time limit the hackers’ access.

4.4.7.3 Monitoring Tools

Information disclosure, modification, or destruction by use of monitoring devicescan be protected by:

(a) implementing use and storage controls over devices that monitoror record information being transmitted on a network (e.g., protocolanalysers and Intrusion Detection System). The use of this equipmentmust have the consent of the ICTSO;

(b) ensuring that employees understand, as part of their condition ofemployment, that use of the organisation’s information processingassets constitutes consent to monitoring; and

(c) continuing quality of controls must be ensured by maintaining anaudit trail.

Many intrusion detection systems (IDS) base their operations on analysisof OS audit trails. This data forms a footprint of system usage over time.It is a convenient source of data and is readily available on most systems.From these observations, the IDS will compute metrics about the system’soverall state, and decide whether an intrusion is currently occurring.

An IDS may also perform its own system monitoring. It may keep aggregatestatistics, which give a system usage profile. These statistics can be derivedfrom a variety of sources such as CPU usage, disk I/O, memory usage,activities by users, number of attempted logins, etc. These statistics mustbe continually updated to reflect the state of the current system state.They are correlated with an internal model which will allow the IDS to determineif a series of actions constitute a potential intrusion. This model may describea set of intrusion scenarios or possibly encode the profile of a clean system.

An intrusion detection system should address the following issues, regardlessof what mechanism it is based on:

(a) it must run continually without human supervision. The system mustbe reliable enough to allow it to run in the background of the systembeing observed. However, it should not be a ‘black box’. That is,its internal workings should be examinable from outside;

(b) it must be fault tolerant in the sense that it must survive a systemcrash and not have its knowledge base rebuilt at restart;

(c) on a similar note to the above, it must resist subversion. The systemcan monitor itself to ensure that it has not been subverted;

(d) it must impose minimal overhead on the system. A system thatslows a computer to a crawl will simply not be used;

(e) it must observe deviations from normal behaviour;

MyMIS


(f) it must be easily tailored to the system in question. Every systemhas a different usage pattern, and the defence mechanism shouldadapt easily to these patterns;

(g) it must cope with changing system behaviour over time as newapplications are being added. The system profile will change overtime, and the IDS must be able to adapt; and

(h) finally, it must be difficult to fool.

4.5 Security Posture Assessment of ICT

At anytime, the management of an organisation must be aware of the truelevel of its entire ICT security. This is because the security of a system isonly as strong as its weakest point. No organisation should feel complacentabout its state of security. There are continuously discovered vulnerabilitiesand bugs in operating system services, application software components,web browsers and e-mail systems.

The security state (posture) of an organisation must be assessed and abaseline established for continuous improvement. In the assessment process,existing policies (if any) and their implementation will be reviewed, installationvalidated and all points of entry into the network checked. Securing a systemrequires a proper set-up of all devices and services as well as the use ofappropriate security tools. This is to minimise the risk of exposure to attacksthrough a non-technical approach such as social engineering that may defeatany technical means.

The security posture assessment (SPA) is performed to establish the currentbaseline security of the network and systems by discovering knownvulnerabilities and weaknesses, with the intention of providing incrementalimprovements to tighten the security of the network and systems. The entireprocess can be divided into three (3) stages:

Stage 1: System/Network Architecture and Policy Review

Stage 2: System Testing and Network Penetration

Stage 3: Report/recommendation

Unless an organisation has the expertise and tools, an SPA exercise in thepublic sector could be outsourced to an independent 3rd party. The appointmentof the consultant will conform to existing government procedures (PekelilingPerbendaharaan 3/95). Care has to be taken since some information is highlysensitive and usually there are legal implications to be considered (for examplethe Official Secret Act 1972). An SPA starts with a rigorous and proper planand this includes:

(a) obtaining the commitment of the management to allocate resources,e.g. documents about system architecture, network topology,application systems installed;

(b) requesting sufficient fund if the SPA is to be outsourced to an outsideparty;

(c) identifying contact persons in the organisation;

(d) establishing a communication plan during the SPA;

Security management isan on-going process

What is a securityposture assessment

Planning for a securityposture assessment

MyMIS


(e) establishing scope of the SPA (i.e. which computers, network devicesand application systems will be included);

(f) scheduling the activity to minimise disruption of normal activity; and

(g) eventually detailing the day-to-day activities of the SPA exercise.

Finally, following submission of the SPA report, an organisation will seek toimplement recommendations to improve its security level.

Note: The implementation stage is not part of the SPA exercise.

MyMIS


Chapter 5 LEGAL MATTERS

Despite its sophistication and complexities, ICT systems arevulnerable to abuse and threats. This may result in damagesuch as loss of confidentiality, information integrity, authenticity,availability, etc. Examples of threats to ICT environments areas listed in Appendix B.

Cyber laws form an important component of the legal framework needed tofacilitate the development of ICT systems by countering the threats andabuses related to such systems.

In relation to ICT security, cyber laws were enacted to:

(a) regulate and protect the ICT industry from misuse and illegal activitiesor activities that assist in the commissioning of illegal activities. Aboveall, cyber laws seek to promote the development of local ICT-basedindustries;

(b) describe in clear terms activities construed under the law as offences;

(c) describe in detail penalties for transgression; and

(d) provide soft infrastructure to lend support to the MSC initiative.

Importance of cyber laws.

Cyber laws in response toICT security requirements.

No. Act Date of Date of Date ofRoyal Assent Publication Enforcement

in Gazette

1. Digital Signature June 18, June 30, 1997 October 1,Act 1997 1997 1998

2. Computer Crime June 18, June 30, 1997 June 1, 2000Act 1997 1997

3. Telemedicine June 18, June 30, 1997 *Act 1997 1997

4. Copyright June 18, June 30, 1997 April 1, 1999(Amendment) 1997Act 1997

5. Communications September 23, October 15, April 1, 1999& Multimedia 1998 1998Act 1998

6. Malaysian September 23, October 15, April 1, 1999Communications 1998 1998& MultimediaCommissionAct 1998

* To be enforced

Table 5.1: Malaysian Cyber Laws

MyMIS


In addition other existing regulations, which are related to computer crimeinclude:

(a) Copyright Act 1987;

(b) Official Secrets Act 1972;

(c) Companies Act 1965 (Act 125);

(d) Trade Marks Act 1976;

(e) Patents Act 1983;

(f) Prison Act 1995; and

(g) Akta Arkib Negara 44/1996.

5.1 Cyber Laws and Legal Implications

5.1.1 Digital Signature Act 1997

The Digital Signature Act was enacted to instill confidence and encouragethe public to perform secured electronic transactions domestically as wellas internationally. Under the Act, the digital signature provides a verificationsystem to authenticate the identity of the author and verify the transmittedmessage.

For a digital signature to be recognised, it is necessary to obtain a certificatefrom a Certification Authority licensed by the Controller of Certification Authorities.On the salient elements of this law are that Certification Authorities authorisedby a foreign government entity may be recognised and that the liability ofa Certification Authority is limited. A document created in accordance withthis Act or signed digitally is legally binding as a document.

Among the provisions of this Act are:

(a) the need for all Certification Authorities to be licensed;

(b) the appointment of a Controller of Certification Authorities;

(c) the main responsibility of a Controller of Certification Authorities isto license the Certification Authority;

(d) the main task of the Certification Authority is to verify the identityof subscribers;

(e) determination of the liability limits of the Certification Authorities andthe legal effect of digital signatures; and

(f) delegation of authority to the Minister to appoint the Controller ofCertification Authority.

5.1.2 Computer Crime Act 1997

The Computer Crime Act 1997 relates to offences due to the misuse ofcomputers and complement existing criminal legislation. Under this law,unauthorised access/modification to any programme or data held in computeris an offence and will be penalised. This Act also has an effect outsideMalaysia if the offences are committed by any person in any place outsideMalaysia if the computer, programme or data is in Malaysia or capable ofbeing connected to or used with a computer in Malaysia.

Other regulations relatedto computer crime.

Provision of the DigitalSignature Act.

Certificate must beobtained fromCertification Authority.

Provision of ComputerCrime Act.

MyMIS


List of Offences

Section Offences

3 Unauthorised access to computer material

4 Unauthorised access with intent to commit or facilitatecommission of further offence

5 Unauthorised modification of the contents of any computer

6 Wrongful communication

7 Abetments and attempts punishable as offences

8 Presumption

11 Obstruction of search

List of Punishment

Section Imprisonment Fine Or Both

3 Not > 5 years Not > RM 50,000.00 ✓

4 Not > 10 years Not > RM 150,000.00 ✓

5 Not > 7 years; If Not > RM 100,000.00; If ✓cause injury, not > cause injury, Not > RM10 years 150,000.00

6 Not > 3 years Not > RM 25,000.00 ✓

7 Not > 1/2 of Same amount as ✓maximum term offences abetted

11 Not > 3 years Not > RM 25,000.00 ✓

List of Enforcement

Section Offences Search & Seizure Arrest

10 Powers of Person: not less Person: Any Policesearch, seizure than Inspector Officer.& arrest

With or without Without warrantwarrant (Seizable)

Table 5.2: List of Offences, Punishment and Enforcement

An abstract of the offences, punishment and enforcement under the Act arelisted below:

MyMIS


5.1.3 Telemedicine Act 1997

The Telemedicine Act was enacted to provide the regulatory framework forthe practice of Telemedicine and to recognise the use of multimedia in thepractice of medicine.

Telemedicine can be practiced by a local doctor who has a valid practicingcertificate, a foreign licensed/registered doctor who has been certified by theMalaysian Medical Council through a local doctor or provisionally registeredmedical practitioner, medical assistant, nurse and midwife approved by theDirector-General of Health. No other person can practice Telemedicine andoffenders will be fined accordingly. The important condition in telemedicineis that the doctor must obtain written consent from the patient for suchtreatments. However, there is no provision in the Telemedicine Act on theliability of telemedicine practitioners. Liability is to be determined by tortuousor contractual principles.

5.1.4 Copyright (Amendment) Act 1997

This Act is to enhance copyright protection by taking into account developmentin information technology and the latest developments related to copyrightunder the World Intellectual Property Ownership (WIPO) Copyright Treaty1996. The scope of copyright protection has been widened where an authoris also given exclusive right of control. New copyright infringements andoffences have been further identified and regulated under this Act.

An abstract of the offences, punishment and enforcement under the Act arelisted below:

List of Offences

Section Offences

41(1)(h) Circumvents or causes the circumvention of any effectivetechnological measures referred to in S.36 (3)

41(1)(i) Removes or alters any electronic rights managementinformation without authority

41(1)(j) Distributes, imports for distribution or communicates tothe public, without authority, works or copies of works inrespect of which electronic rights managementinformation has been removed or altered withoutauthority

Provision of theTelemedicine Act.

Telemedicine can bepracticed by a licensedpersonnel.

Provision of Copyright(Amendment) Act.

MyMIS


List of Punishment

Section Imprisonment Fine (RM) Or Both

41(1)(h) Not > 3 years Not > RM 250,000.00, ✔

Subsequent offence Subsequent offence not >not > 5 years RM 500,000.00

41(1)(i) Not > 3 years Not > RM 250,000.00 ✔

Subsequent offence Subsequent offence not >not > 5 years 500,000.00

41(1)(j) Not > 3 years; Not > RM 250,000.00; ✔Subsequent Subsequent offence notOffence not > 5 years RM 500,000.00

List of Enforcement

Section Offences Investigation Search & ArrestSeizure

44 Entry by - Police not -warrant or less thanotherwise Inspector or

AssistantController

50 Power of Police not less - (Special powerinvestigation than Inspector investigation)

or Assistant Police -withoutController warrant

AssistantController- with warrant

Table 5.3: List of Offences, Punishment and Enforcement

5.1.5 Communications and Multimedia Act 1998

This Act covers communications over the electronic media (exclusion of printmedia) and does not affect the application of existing laws on national security,illegal content, defamation and copyright. This Act, regulates various activitiessuch as network facilities providers, network service providers, applicationservice providers and content application services providers. Under this Act,the Minister is given the flexibility to grant licences for particular types ofactivity as he deems fit. This flexibility is to address of the changing requirementsas the industry evolves.

Provision of theCommunication andMultimedia Act.

MyMIS


5.1.6 Malaysian Communications & Multimedia Commission Act 1998

This Act provides the establishment of the Malaysian Communications andMultimedia Commission with powers to supervise and regulate thecommunications and multimedia activities in Malaysia, to enforce thecommunications and multimedia laws of Malaysia, and for related matters.

5.2 Crime Investigation

Global trends indicate that ICT security incidents (fraud, theft, impersonation,loss of business opportunity, etc.) are increasing.

This is primarily due to:

(a) readily available facilities and tools plus the lack of control in theiruse;

(b) relatively easy in mounting attacks from a distance; and

(c) availability of valuable information on networks that could be exploited.

It is imperative that public sector officers involved in ICT security are awareof such incidents so as to enable them to mitigate risk and exposure of theirrespective ICT installations, including issues dealing with investigations andenforcement.

Telecommunications fraud, computer-related crime incidents, investigationsand computer forensics involve sciences affected by many external factors,such as continued advancements in technology, societal issues and legalissues. Most of the cases are esoteric in nature and there have been veryfew prosecutions and even fewer convictions being made. This is becauseof the many grey areas to be sorted out and tested through the courts. Untilthen, system attackers will have an advantage and computer abuse willcontinue to increase.

5.2.1 Definition of Computer Crime

Computer crime is defined by the Royal Malaysian Police as:

(a) a criminal act in which a computer is essential to the perpetrationof the crime; or

(b) a criminal act where a computer, non-essential to the perpetrationof the crime, acts as a store of information concerning the crime.

5.2.1.1 Examples of Computer Essentials

Some examples of computer essentials are:

(a) information theft via hacking;

(b) electronic funds transfer fraud;

(c) distribution of pornography via Internet;

(d) internet cash fraud; and

(e) credit card fraud.

Provision of theMalaysianCommunications andMultimedia CommissionAct.

Increasing ICT securityincidents.

Few convictions due togrey areas.

Computer crime is acriminal act.

Examples of computeressentials.

MyMIS


5.2.1.2 Examples of Computer Non-Essentials

Some examples of computer non-essentials are:

(a) all types of fraud;

(b) murder;

(c) theft;

(d) forgery; and

(e) potentially any type of crime.

5.2.2 Evidence

Evidence is defined as anything offered in court to prove the truth or falsityof a fact in issue. However, evidence presented in a computer-related crimecase may differ from traditional forms of evidence because in most casesthe computer-related crime evidence is intangible. As a consequence, thelegal problems of computer-based evidence are intensified and complex.

5.2.2.1 Types of Evidence

The most common forms of evidence that can be offered in court to provethe truth or falsity of a given fact are:

(a) direct evidence is oral testimony obtained from any of the witness’sfive senses and is in itself proof or disproof of a fact in issue (e.g.,an eyewitness statement);

(b) real evidence also known as associative or physical evidence. It ismade up of any tangible objects that prove or disprove guilt;

(c) documentary evidence is evidence presented in the form of e.g. businessrecords, manuals, and printouts. Much of the evidence submitted ina computer crime case is documentary evidence;

(d) demonstrative evidence is evidence in the form of a model, experiment,chart, or an illustration offered as proof;

(e) physical evidence includes tools used in the crime, fruits of the crime,or perishable evidence capable of reproduction to link the suspectto the crime; and

(f) computer generated evidence such as:

i. visual output on the monitor;

ii. printed evidence on a printer/plotter;

iii. film recorder (i.e., a magnetic representation on disk and opticalrepresentation on CD); and

iv. data and information stored electronically on storage devices(e.g. diskettes, CD’s, tapes, cartridges etc.).

5.2.3 Conducting Computer Crime Investigation

The computer crime investigation should start immediately following the reportof any alleged transgression or criminal activity. The incident response planwill help set the objective of the investigation and will identify each of thesteps in the investigative process.

Examples of computernon-essential.

Computer related crimeevidence is intangibleand may differ fromtraditional forms.

Different type ofcomputer related crimeevidence.

Immediately start theinvestigation after thereport is made.

MyMIS


5.2.3.1 Detection and Containment

Before any investigation, the following steps should be taken:

(a) the system intrusion or abusive conduct must first be detected. Swiftdetection of the actual intrusion not only helps to minimise systemdamage, but also assists in the identification of potential suspects;

(b) proactive and automated detection techniques must be instituted tominimise the amount of system damage in the wake of an attack;and

(c) once an incident is detected, it is essential to minimise the risk ofany further loss by shutting down the system and reloading cleancopies of the operating system and application programmes. However,failure to contain a known situation (i.e. a system penetration) mayresult in increased liability for the victim’s organisation.

5.2.3.2 Report to Management

All incidents should be reported to management as soon as possible. Promptinternal reporting is imperative to collect and preserve potential evidence.It is important that information about the investigation be limited to as fewpeople as possible. Information should be given on a need-to-know basis,which limits the possibility of the investigation being leaked. E-mail shouldnot be used to discuss the investigation on a compromised system.

Based on the type of crime and type of organisation it may be necessaryto notify:

(a) CIO;

(b) MAMPU;

(c) The Office of the Government Chief Security Officer, Prime Minister’sDepartment;

(d) The Audit Department, Prime Minister’s Department;

(e) The Legal Affairs Division, Prime Minister’s Department; and

(f) The Attorney-General’s Department, Prime Minister’s Department.

5.2.3.3 The Preliminary Investigation

The preliminary investigation usually involves the following:

(a) a review of the initial complaint, inspection of the alleged damageor abuse, witness interviews, and, finally, examination of the systemlogs;

(b) the investigator must address the basic elements of the crime todetermine the chances of successfully prosecuting a suspect eithervia civil or criminal action;

(c) the investigator must identify the requirements of the investigation(i.e., the financial implication and resources); and

(d) the investigator should not confront or talk with the suspect. Doingso would only give the suspect the opportunity to hide or destroyevidence.

Steps to be followedbefore the investigation.

ICT incidents should bereported to themanagement immediately

Also, ICT incidentsshould be reported to therelevant parties.

Preliminary investigationproses

MyMIS


5.2.3.4 Determine if Disclosure is Required

It is important to determine if a disclosure is required or warranted underspecific laws or regulations. Even if disclosure is not required, it is sometimesbetter to disclose the attack to possibly deter future attacks.

5.2.3.5 Investigation Considerations

There are many factors to consider when deciding whether to further investigatean alleged computer crime.

The investigation considerations are:

(a) the cost associated with an investigation;

(b) the effect on operations or the effect on the organisation’s reputation;and

(c) the victim organisation must answer these questions:

i. will productivity be stifled by the inquiry process?;

ii. will the compromised system have to be shut down to conductan examination of the evidence or crime scene?;

iii. will any of the system components be held as evidence?;

iv. will proprietary data be subject to disclosure?;

v. will there be any increased exposure for failing to meet a ‘standardof due care?’;

vi. will there be any potential adverse publicity related to the loss?;and

vii. will a disclosure invite other perpetrators to commit similar acts,or will an investigation and subsequent prosecution deter futureattacks?.

5.2.3.6 Who Should Conduct the Investigation?

Based on the type of investigation (i.e., civil, criminal, or insurance) andextent of the abuse, the victim must decide who is to conduct the investigation.

The victim must choose from these options:

(a) conduct an internal investigation;

(b) bring in MAMPU to assess the damage, preserve evidence and providerecommendation for further action (refer to Appendix H: MekanismePelaporan Insiden Keselamatan Teknologi Maklumat dan Komunikasi(ICT)); and

(c) bring in law enforcement officials.

The major issues affecting the decision as to which parties to bring (in orderof priority) are information dissemination, investigative control, cost, and theassociated legal issues. Once an incident is reported to law enforcement,information dissemination becomes uncontrolled. Law enforcement controlsthe entire investigation, from beginning to end. This does not always havea negative effect, but the victim organisation may have a different set ofpriorities.

Determine if disclosureis required

Factors to considerwhen deciding to furtherinvestigate

Victim is able to decideon the conducting party

Issue affecting areinformation dissemination,investigation control, costand legality

MyMIS


Cost is always a concern, and the investigation costs only add to the lossinitially sustained by the attack or abuse. Even law enforcement agencies,which are normally considered “free”, add to the costs because of the technicalassistance that they require during the investigation.

There are advantages and disadvantages for each of these groups previouslyidentified. Internal investigators know the victim’s systems best, but maylack some of the legal and forensic training. Private investigators who specialisein high-technology crime also have a number of advantages, but usuallyinvolve higher costs. Private security practitioners and private investigatorsare also private businesses and may be more sensitive to business resumptionthan law enforcement.

If the victim organisation decides to report to the police, care must be takennot to alert the perpetrator. When a police report is made the incident willbecome part of a public record. Now, there will no longer be on avenue fordiscretionary dissemination of information or a covert investigation. Thereforeit is suggested that the victim organisation should ask the police to meetwith it in plainclothes. When they arrive at the workplace, they should beannounced as consultants. Be aware that the local law enforcement agencymay not be well equipped to handle high-tech crime. Usually local lawenforcement has limited budgets and place emphasis on problems relatedto violent crime and drugs. Moreover, with technology changing so rapidly,most local law enforcement officers lack the technical training to adequatelyinvestigate an alleged intrusion.

The same problems hold true for the prosecution and the judiciary. In orderto prosecute a case successfully, both the prosecutor and the judge musthave a reasonable understanding of high-technology laws and the crime inquestion, which is not always the case. Moreover, many of the current lawsare woefully inadequate. Even though an action may be morally and ethicallywrong, it is still possible that no law is violated (e.g., the LaMacchia case).Even when a law that has been violated, many of these laws remain untestedand lack precedence. Because of this, many prosecutors are reluctant toprosecute high-technology crime cases.

Some of the lines of defences that have been used, and accepted by thejudiciary, are:

(a) if an organisation has no system security or lax system security, thatorganisation is implying that no organisation concern exists. Thus,there should be no court concern;

(b) if a person is not informed that access is unauthorised, it can beused as a defence; and

(c) if employees are not briefed and do not acknowledge understandingof policy, standards and procedures, they can use it as a defence.

Cost is of concern toconduct the investigation.

Police involvement.

Some of the defences havebeen used and accepted.

MyMIS

Copyright MAMPU Appendix A - 1

Appendix A

KERAJAAN MALAYSIA

PEKELILING AM BIL. 3 TAHUN 2000

RANGKA DASAR KESELAMATANTEKNOLOGI MAKLUMAT DAN

KOMUNIKASI KERAJAAN

JABATAN PERDANA MENTERIMALAYSIA

Dikelilingkan kepada:

Semua Ketua Setiausaha Kementerian

Semua Ketua Jabatan Persekutuan

Semua Ketua Pengurusan Badan Berkanun Persekutuan

Semua Y.B. Setiausaha Kerajaan Negeri

Semua Ketua Pengurusan Pihak Berkuasa Tempatan

MyMIS


JABATAN PERDANA MENTERI MALAYSIAKOMPLEKS JABATAN PERDANA MENTERIPUSAT PENTADBIRAN KERAJAANPERSEKUTUAN Telefon : 603-8888195762502 PUTRAJAYA Faks : 603-88883721

Rujukan Kami : UPTM (S) 159/526/1(2)

Tarikh : 1 Oktober 2000



Semua Ketua Pengurusan Badan Berkanun




RANGKA DASAR KESELAMATANTEKNOLOGI MAKLUMAT DAN KOMUNIKASI

KERAJAAN

TUJUAN

Pekeliling ini bertujuan untuk menjelaskan Rangka Dasar Keselamatan Teknologi Maklumat dan KomunikasiKerajaan serta perkara-perkara berkaitan yang perlu diberi pertimbangan dan diambil tindakan olehagensi-agensi Kerajaan.

LATAR BELAKANG

2. Kerajaan sentiasa memberi perhatian terhadap keselamatan teknologi maklumat dan komunikasi(information and communications technology) atau ICT terutamanya dalam usaha menjayakanpembangunan dan pelaksanaan Aplikasi Perdana Koridor Raya Multimedia. Kerajaan juga sedar akanrepositori maklumat semasa yang sangat besar dalam simpanannya, dan dijangka akan bertambahbesar dengan terlaksananya projek Aplikasi Perdana yang diterajui Perkhidmatan Awam. Nilai sertakegunaan repositori maklumat juga dijangka akan terus meningkat hasil dari peningkatan penggunayang bergantung kepada sistem ICT. Ini merupakan sebahagian daripada kesan ledakan pembangunanICT yang telah mencorak budaya kerja serta cara penyampaian perkhidmatan Kerajaan kepada rakyat.Trend menunjukkan semakin banyak agensi Kerajaan mengubah hala kepada penggunaan ICT yanglebih meluas untuk mengurangkan kos operasi dan meningkatkan produktiviti dan kualiti perkhidmatankepada pelanggan.

3. Pertumbuhan pesat penggunaan ICT di kalangan ini, terutama melalui kemudahan Internet,mendedahkan maklumat secara lebih luas dan ini memungkinkan berlakunya pencerobohan yangboleh mengakibatkan kebocoran maklumat rahsia rasmi dan maklumat rasmi Kerajaan. Keadaan inijika tidak diberi perhatian rapi boleh menimbulkan masalah yang lebih besar di masa hadapan. Disamping itu perlu ada keseimbangan antara kawalan keselamatan yang terlalu ketat sehingga membatasipenyebaran maklumat penyampaian perkhidmatan, dengan kawalan yang terlalu longgar yang bolehmemudaratkan keselamatan atau kepentingan Perkhidmatan Awam dan Negara.

4. Menyedari pentingnya usaha-usaha menjamin keselamatan ICT, satu rangka Dasar KeselamatanICT Kerajaan telah digubal berpandukan kepada prinsip-prinsip keselamatan ICT yang kukuh,tanggungjawab terhadap keselamatan maklumat, kesedaran terhadap ancaman dan langkah-langkahpeningkatan tahap keselamatan maklumat.

MyMIS


RANGKA DASAR KESELAMATAN ICT KERAJAAN

5. Rangka Dasar Keselamatan ICT ini dirumus bagi memenuhi keperluan penguatkuasaan, kawalandan langkah-langkah yang menyeluruh untuk melindungi aset ICT Kerajaan. Perlindungan keselamatanini perlu bersesuaian dengan nilai atau sensitiviti aset yang dimaksudkan. Ia juga perlu seimbangdengan kesan yang mungkin timbul akibat kegagalan perlindungan yang sesuai. Pernyataan dasar,prinsip, objektif dan skop dasar ini dijelaskan dalam lampiran kepada Pekeliling ini.

TANGGUNGJAWAB AGENSI

6. Semua agensi Kerajaan adalah dikehendaki mematuhi Rangka Dasar Keselamatan ICT Kerajaandan melaksanakan tanggungjawab yang ditetapkan. Untuk maksud ini, semua Ketua Jabatan adalahdiminta mengambil tindakan-tindakan berikut:

(a) Melantik seorang Pegawai Keselamatan ICT di kalangan pegawai kanan yang bertanggungjawabdalam melaksanakan tindakan-tindakan yang ditetapkan dalam Rangka Dasar KeselamatanICT. Perlantikan pegawai ini dan sebarang pertukaran perlu dimaklumkan kepada MAMPU.

(b) Menyediakan semua infrastruktur keselamatan ICT menepati prinsip-prinsip keselamatanberpandukan Rangka Dasar Keselamatan ICT dan Arahan Keselamatan yang disediakan olehKetua Pegawai Keselamatan Kerajaan.

(c) Menyedia dan mengkaji semula dokumen infrastruktur keselamatan ICT bagi tujuan auditkeselamatan ICT.

(d) Mengenal pasti bidang-bidang keselamatan ICT yang perlu diberi perhatian rapi dan mengambiltindakan segera mengatasinya.

(e) Memastikan tahap keselamatan ICT adalah terjamin setiap masa.

KHIDMAT NASIHAT

7. Sebarang kemusykilan berkaitan dengan Surat Pekeliling ini dan Rangka Dasar Keselamatan ICTKerajaan bolehlah dirujuk kepada MAMPU, manakala kemusykilan berkaitan dengan Arahan Keselamatanhendaklah dirujuk kepada Pejabat Ketua Pegawai Keselamatan Kerajaan Malaysia.

TARIKH KUATKUASA

Surat Pekeliling ini berkuatkuasa mulai tarikh ia dikeluarkan.

(TAN SRI ABDUL HALIM BIN ALI)Ketua Setiausaha Negara

MyMIS


(Lampiran kepadaSurat Perkeliling Am

Bil. 3 Tahun 2000)

RANGKA DASAR KESELAMATANTEKNOLOGI MAKLUMAT DAN

KOMUNIKASI KERAJAAN

Unit Permodenan Tadbiran danPerancangan Pengurusan Malaysia(MAMPU)Jabatan Perdana Menteri

MyMIS


PENGENALAN

Kerajaan sedar akan tanggung jawab untuk memastikan keselamatan aset teknologi maklumat dankomunikasi (information and communications technology), ringkasnya ICT, yang dimiliki atau di bawahjagaan dan kawalannya. Ini termasuk semua data, peralatan, rangkaian dan kemudahan ICT. Tanggungjawab ini juga harus dipikul oleh ahli pentadbiran Kerajaan, penjawat awam atau sesiapa sahaja yangmengakses dan yang menggunakan aset ICT Kerajaan.

RASIONAL

2. Tujuan utama keselamatan ICT adalah untuk menjamin kesinambungan urusan Kerajaan denganmeminimumkan kesan insiden keselamatan. Keselamatan ICT berkait rapat dengan pelindungan maklumatdan aset ICT. Ini kerana komponen peralatan dan perisian yang merupakan sebahagian daripada asetICT Kerajaan adalah pelaburan besar dan perlu dilindungi. Begitu juga dengan maklumat yang tersimpandi dalam sistem ICT. Ia amat berharga kerana banyak sumber yang telah digunakan untuk menghasilkannyadan sukar untuk dijana semula dalam jangkamasa yang singkat. Tambahan pula terdapat maklumatyang diproses oleh sistem ICT adalah sensitif dan terperingkat. Pendedahan tanpa kebenaran ataupembocoran rahsia boleh memudaratkan kepentingan negara. Sebarang penggunaan aset ICT kerajaanselain daripada maksud dan tujuan yang telah ditetapkan, adalah merupakan satu penyalahgunaansumber Kerajaan.

3. Memandangkan pentingnya aset ICT Kerajaan dilindungi, maka satu Dasar Keselamatan ICTKerajaan adalah perlu diwujudkan.

PERNYATAAN DASAR KESELAMATAN ICT KERAJAAN

4. Keselamatan ditakrifkan sebagai keadaan yang bebas daripada ancaman dan risiko yang tidakboleh diterima. Keselamatan adalah suatu proses yang berterusan. Ia melibatkan aktiviti berkala yangmesti dilakukan dari semasa ke semasa untuk menjamin keselamatan kerana ancaman dan kelemahansentiasa berubah.

5. Keselamatan ICT adalah bermaksud keadaan di mana segala urusan menyedia dan membekalkanperkhidmatan yang berasaskan kepada sistem ICT berjalan secara berterusan tanpa gangguan yangboleh menjejaskan keselamatan. Keselamatan ICT berkait rapat dengan pelindungan aset ICT. Terdapatempat (4) komponen asas keselamatan ICT, iaitu:

(a) Melindungi maklumat rahsia rasmi dan maklumat rasmi kerajaan dari capaian tanpa kuasayang sah;

(b) Menjamin setiap maklumat adalah tepat dan sempurna;

(c) Mempastikan ketersediaan maklumat apabila diperlukan oleh pengguna; dan

(d) Mempastikan akses kepada hanya pengguna-pengguna yang sah atau penerimaan maklumatdari sumber yang sah.

6. Dasar Keselamatan ICT Kerajaan merangkumi perlindungan ke atas semua bentuk maklumatelektronik bertujuan untuk menjamin keselamatan maklumat tersebut dan kebolehsediaan kepadasemua pengguna yang dibenarkan. Ciri-ciri utama keselamatan maklumat adalah seperti berikut:

(a) Kerahsiaan—Maklumat tidak boleh didedahkan sewenang-wenangnya atau dibiarkan diaksestanpa kebenaran.

(b) Integriti—Data dan maklumat hendaklah tepat, lengkap dan kemaskini. Ia hanya boleh diubahdengan cara yang dibenarkan.

(c) Tidak Boleh Disangkal—Punca data dan maklumat hendaklah dari punca yang sah dan tidakboleh disangkal.

(d) Kesahihan—Data dan maklumat hendaklah dijamin kesahihannya.

(e) Kebolehsediaan—Data dan maklumat hendaklah boleh diakses pada bila-bila masa.

MyMIS


7. Selain itu, langkah-langkah ke arah keselamatan ICT hendaklah bersandarkan kepada penilaianyang bersesuaian dengan perubahan semasa terhadap kelemahan semula jadi aset ICT; ancamanyang wujud akibat daripada kelemahan tersebut; risiko yang mungkin timbul; dan langkah-langkahpencegahan sesuai yang boleh diambil untuk menangani risiko berkenaan.

PRINSIP-PRINSIP DASAR KESELAMATAN ICT KERAJAAN

8. Prinsip-prinsip yang menjadi asas kepada Dasar Keselamatan ICT Kerajaan adalah sepertiberikut:

(a) Akses atas dasar “perlu mengetahui”

(b) Hak akses minimum

(c) Akauntabiliti

(d) Pengasingan

(e) Pengauditan

(f) Pematuhan

(g) Pemulihan

(h) Saling bergantung

(a) Akses Atas Dasar Perlu Mengetahui

9. Akses terhadap penggunaan aset ICT hanya diberikan untuk tujuan spesifik dan dihadkan kepadapengguna tertentu atas dasar “perlu mengetahui” sahaja. Ini bermakna akses hanya akan diberikansekiranya peranan atau fungsi pengguna memerlukan maklumat tersebut. Pertimbangan akses dibawah prinsip ini adalah berasaskan kepada klasifikasi maklumat dan tapisan keselamatan penggunaseperti berikut:

(i) Klasifikasi Maklumat

Keselamatan ICT Kerajaan hendaklah mematuhi “Arahan Keselamatan” perenggan 53,muka surat 15, di mana maklumat dikategorikan kepada Rahsia Besar, Rahsia, Sulit danTerhad. Data, bahan atau maklumat rasmi yang sensitif atau bersifat terperingkat perlu dilindungidari pendedahan, dimanipulasi atau diubah semasa dalam penghantaran. Penggunaan koddan tandatangan digital mesti dipertimbangkan bagi melindungi data yang dikirim secaraelektronik. Dasar kawalan akses ke atas aplikasi atau sistem juga hendaklah mengikut klasifikasimaklumat yang sama, iaitu sama ada rahsia besar, rahsia, sulit atau terhad.

(ii) Tapisan Keselamatan Pengguna

Dasar Keselamatan ICT Kerajaan adalah mematuhi prinsip bahawa pengguna boleh diberikebenaran mengakses kategori maklumat tertentu setelah siasatan latarbelakang menunjukkantiada sebab atau faktor untuk menghalang pengguna daripada berbuat demikian.

(b) Hak Akses Minimum

10. Hak akses kepada pengguna hanya diberi pada tahap set yang paling minimum iaitu untukmembaca dan/atau melihat sahaja. Kelulusan khas adalah diperlukan untuk membolehkan penggunamewujud, menyimpan, mengemaskini, mengubah atau membatalkan sesuatu data atau maklumat.

MyMIS


(c) Akauntabiliti

11. Semua pengguna adalah dipertanggungjawabkan ke atas semua tindakannya terhadap aset ICTkerajaan. Tanggungjawab ini perlu dinyatakan dengan jelas sesuai dengan tahap sensitiviti sesuatusumber ICT. Untuk menentukan tanggungjawab ini dipatuhi, sistem ICT hendaklah mampu menyokongkemudahan mengesan atau mengesah bahawa pengguna sistem maklumat boleh dipertanggungjawabkanatas tindakan mereka.

12. Akauntabiliti atau tanggungjawab pengguna termasuklah:

(i) Menghalang pendedahan maklumat kepada pihak yang tidak dibenarkan.

(ii) Memeriksa maklumat dan menentukan ianya tepat dan lengkap dari semasa ke semasa.

(iii) Menentukan maklumat sedia untuk digunakan.

(iv) Menjaga kerahsiaan kata laluan.

(v) Mematuhi standard, prosedur, langkah dan garis panduan keselamatan yang ditetapkan.

(vi) Memberi perhatian kepada maklumat terperingkat terutama semasa pewujudan, pemprosesan,penyimpanan, penghantaran, penyampaian, pertukaran dan pemusnahan.

(vii) Menjaga kerahsiaan langkah-langkah keselamatan ICT dari diketahui umum.

(d) Pengasingan

13. Prinsip pengasingan bermaksud bahawa semua tugas-tugas mewujud, memadam, kemaskini,mengubah dan mengesahkan data diasingkan. Ia bertujuan untuk mengelak akses yang tidak dibenarkandan melindungi aset ICT daripada kesilapan, kebocoran maklumat terperingkat, dimanipulasi danseterusnya, mengekalkan integriti dan kebolehsediaan.

14. Pengasingan juga merangkumi tindakan memisahkan antara kumpulan operasi dan rangkaian.Ia bertujuan untuk mengasingkan akses kepada domain kedua-dua kumpulan tersebut seperti akseskepada fail data, fail program, kemudahan sistem dan komunikasi, manakala pemisahan antara domainpula adalah untuk mengawal dan mengurus perubahan pada konfigurasi dan keperluan sistem.

15. Pada tahap minimum, semua sistem ICT perlu mengekalkan persekitaran operasi yang berasinganseperti berikut:

(i) Persekitaran pembangunan di mana sesuatu aplikasi dalam proses pembangunan.

(ii) Persekitaran penerimaan iaitu peringkat di mana sesuatu aplikasi diuji.

(iii) Persekitaran sebenar di mana aplikasi sedia untuk dioperasikan.

(e) Pengauditan

16. Pengauditan adalah tindakan untuk mengenalpasti insiden berkaitan keselamatan atau mengenalpastikeadaan yang mengancam keselamatan. Ia membabitkan pemeliharaan semua rekod berkaitan tindakankeselamatan. Dengan itu, aset ICT seperti komputer, pelayan, router, firewall, dan rangkaian hendaklahditentukan dapat menjana dan menyimpan log tindakan keselamatan atau audit trail. Pentingnya audittrail ini menjadi semakin ketara apabila wujud keperluan untuk mengenalpasti punca masalah atauancaman kepada keselamatan ICT. Oleh itu, rekod audit hendaklah dilindungi dan tersedia untukpenilaian atau tindakan serta merta.

17. Pengauditan juga perlu dibuat ke atas rekod-rekod manual seperti dokumen operasi, nota serahtugas, kelulusan keluar pejabat, memorandum, borang kebenaran, surat kuasa, senarai inventori dankemudahan akses log. Ini adalah kerana dalam kes-kes tertentu, dokumen ini diperlukan untuk menyokongaudit trail sistem komputer.

MyMIS


18. Keseluruhannya, sistem pengauditan ini adalah penting dalam menjamin akauntabiliti. Antaralain, sistem ini dapat dirujuk bagi menentukan perkara-perkara berikut:

(i) Mengesan pematuhan atau perlanggaran keselamatan.

(ii) Menyediakan catatan peristiwa mengikut urutan masa yang boleh digunakan untuk mengesanpunca berlakunya perlanggaran keselamatan.

(iii) Menyediakan bahan bukti bagi menentukan sama ada berlakunya perlanggaran keselamatan.

(f) Pematuhan

19. Pematuhan adalah merupakan prinsip penting dalam menghindar dan mengesan sebarangperlanggaran Dasar. Pematuhan kepada Dasar Keselamatan ICT Kerajaan boleh dicapai melaluitindakan berikut:

(i) Mewujud proses yang sistematik khususnya dalam menjamin keselamatan ICT untuk memantaudan menilai tahap pematuhan langkah-langkah keselamatan yang telah dikuatkuasakan.

(ii) Merumus pelan pematuhan untuk menangani sebarang kelemahan atau kekurangan langkah-langkah keselamatan ICT yang dikenalpasti.

(iii) Melaksana program pemantauan keselamatan secara berterusan untuk memastikan standard,prosedur dan garis panduan keselamatan dipatuhi.

(iv) Menguatkuasa amalan melapur sebarang peristiwa yang mengancam keselamatan ICT danseterusnya mengambil tindakan pembetulan.

(g) Pemulihan

20. Pemulihan sistem amat perlu untuk memastikan kebolehsediaan dan kebolehcapaian. Objektifutama adalah untuk meminimumkan sebarang gangguan atau kerugian akibat daripada ketidaksediaan.Antara lain, pemulihan boleh dilakukan melalui tindakan-tindakan berikut:

(i) Merumus dan menguji Pelan Pemulihan Bencana—(Disaster Recovery Plan).

(ii) Mengamalkan langkah-langkah membuat salinan data dan lain-lain amalan baik dalampenggunaan ICT seperti menghapuskan virus, langkah-langkah pencegahan kebakaran danamalan “clean desk”.

(h) Saling Bergantung

21. Langkah-langkah keselamatan ICT yang berkesan memerlukan pematuhan kepada semua prinsip-prinsip di atas. Setiap prinsip adalah saling lengkap-melengkapi antara satu dengan lain. Dengan itu,tindakan mempelbagaikan pendekatan dalam menyusun dan mencorak sebanyak mungkin mekanismakeselamatan, dapat menjamin keselamatan yang maksimum. Prinsip saling bergantung meliputi beberapaperingkat di mana di tahap minimum, mengandungi langkah-langkah berikut:

(i) Sambungan kepada Internet—Semua komunikasi antara sistem ICT dengan sistem luarhendaklah melalui mekanisma pusat untuk mengurus, menguatkuasa dan mengawas sebarangbahaya keselamatan. Melalui sistem ini, semua trafik dalaman hendaklah melalui gatewayfirewall yang diurus secara berpusat. Semua trafik dari luar ke dalam hendaklah juga melaluilaluan ini atau melalui kumpulan modem yang dikawal secara berpusat. Dengan itu, penggunaanmodem dalaman tidak dibenarkan.

(ii) Backbone Rangkaian—Backbone rangkaian akan hanya mengendalikan trafik yang telahdikod untuk meminimumkan intipan.

(iii) Rangkaian Jabatan—Semua rangkaian jabatan akan dihubungkan ke backbone melalui firewallyang mana akan pula mengkod semua trafik di antara rangkaian jabatan dengan rangkaiandi peringkat yang seterusnya atau pusat data.

MyMIS


(iv) Pelayan Jabatan—Semua data dan maklumat yang kritikal atau sensitif akan hanya disimpandi pelayan jabatan atau di pelayan yang diurus secara pusat. Ini akan meminimumkanpendedahan, pengubahan atau kecurian. Semua data dan maklumat sensitif akan dikodkan.

OBJEKTIF DASAR KESELAMATAN ICT KERAJAAN

22. Objektif utama Dasar Keselamatan ICT Kerajaan ialah seperti berikut:

(i) Memastikan kelancaran operasi Kerajaan dan meminimumkan kerosakan atau kemusnahan;

(ii) Melindungi kepentingan pihak-pihak yang bergantung kepada sistem maklumat daripada kesankegagalan atau kelemahan dari segi kerahsiaan, integriti, kebolehsediaan, kesahihan maklumatdan komunikasi; dan

(iii) Mencegah salahguna atau kecurian aset ICT kerajaan.

23. Dasar Keselamatan ICT Kerajaan ini juga bertujuan memudahkan perkongsian maklumat sesuaidengan keperluan operasi kerajaan. Ini hanya boleh dicapai dengan memastikan semua aset ICTdilindungi.

SKOP DASAR KESELAMATAN ICT KERAJAAN

24. Sistem ICT Kerajaan terdiri daripada manusia, peralatan, perisian, telekomunikasi, kemudahanICT dan data. Sistem ini adalah aset yang amat berharga di mana masyarakat, swasta dan jugaKerajaan bergantung untuk menjalankan urusan rasmi Kerajaan dengan lancar. Dengan itu, DasarKeselamatan ICT Kerajaan menetapkan keperluan-keperluan asas berikut:

(i) Data dan maklumat hendaklah boleh diakses secara berterusan dengan cepat, tepat, mudahdan dengan cara yang boleh dipercayai. Ini adalah amat perlu bagi membolehkan keputusandan penyampaian perkhidmatan dilakukan dengan berkesan dan berkualiti.

(ii) Semua data dan maklumat hendaklah dijaga kerahsiaannya dan dikendalikan sebaik mungkinpada setiap masa bagi memastikan kesempurnaan dan ketepatan maklumat serta untukmelindungi kepentingan kerajaan, bisnes dan masyarakat.

25. Memandangkan sistem ICT sangat kompleks dan terdedah kepada kelemahan, ancaman danrisiko, adalah tidak mudah untuk memenuhi keperluan ini. Sistem ICT dan komponennya yang salingberhubungan dan bergantungan antara satu dengan lain kerapkali mewujudkan pelbagai kelemahan.Sesetengah risiko hanya menjadi kenyataan setelah masa berlalu manakala sesetengahnya timbulapabila berlaku perubahan. Walau bagaimanapun risiko seperti ini hendaklah dikenalpasti dan ditanganisewajarnya.

26. Bagi menangani risiko ini dari semasa ke semasa, Dasar Keselamatan ICT Kerajaan akandiperjelaskan lagi melalui pengeluaran Standard Keselamatan ICT yang mengandungi garis panduanserta langkah-langkah keselamatan ICT. Kegunaan kesemua dokumen ini secara bersepadu adalahdisarankan. Ini adalah kerana pembentukan dasar, standard, garis panduan dan langkah-langkahkeselamatan ini diorientasikan untuk melindungi kerahsiaan data, maklumat dan sebarang kesimpulanyang boleh dibuat daripadanya.

27. Bagi menentukan Sistem ICT ini terjamin keselamatannya sepanjang masa, Dasar KeselamatanICT Kerajaan ini merangkumi perlindungan semua bentuk maklumat kerajaan yang dimasuk, diwujud,dimusnah, disimpan, dijana, dicetak, diakses, diedar, dalam penghantaran, dan yang dibuat salinankeselamatan ke dalam semua aset ICT. Ini akan dilakukan melalui penubuhan dan penguatkuasaansistem kawalan dan prosedur dalam pengendalian semua perkara-perkara berikut:

(i) Data dan Maklumat—Semua data dan maklumat yang disimpan atau digunakan dipelbagaimedia atau peralatan ICT.

(ii) Peralatan ICT—Semua peralatan komputer dan periferal seperti komputer peribadi, stesenkerja, kerangka utama dan alat-alat prasarana seperti Uninterrupted Power Supply (UPS),punca kuasa dan pendingin hawa.

MyMIS


(iii) Media Storan—Semua media storan dan peralatan yang berkaitan seperti disket, kartrij,CD-ROM, pita, cakera, pemacu cakera dan pemacu pita.

(iv) Komunikasi dan Peralatan Rangkaian—Semua peralatan berkaitan komunikasi seperti pelayanrangkaian, gateway, bridge, router dan peralatan PABX.

(v) Perisian—Semua perisian yang digunakan untuk mengendali, memproses, menyimpan, menjanadan mengirim maklumat. Ini meliputi semua perisian sistem, perisian utiliti, perisian rangkaian,program aplikasi, pangkalan data, fail program dan fail data.

(vi) Dokumentasi—Semua dokumentasi yang mengandungi maklumat berkaitan dengan penggunaandan pemasangan peralatan dan perisian. Ia juga meliputi data dalam semua bentuk mediaseperti salinan kekal, salinan elektronik, transparencies, risalah dan slides.

(vii) Manusia—Semua pengguna yang dibenarkan termasuk pentadbir dan pengurus serta merekayang bertanggungjawab terhadap keselamatan ICT.

(viii) Premis Komputer dan Komunikasi—semua kemudahan serta premis yang diguna untukmenempatkan perkara (i)-(vii) di atas.

28. Setiap perkara di atas perlu diberi perlindungan rapi. Sebarang kebocoran rahsia atau kelemahanperlindungan adalah dianggap sebagai perlanggaran langkah-langkah keselamatan.

29. Di samping itu, Dasar Keselamatan ICT Kerajaan ini juga adalah saling lengkap-melengkapi danperlu dilaksanakan secara konsisten dengan undang-undang dan peraturan yang sedia ada.

TANGGUNGJAWAB KETUA-KETUA JABATAN

30. Semua Ketua-ketua Jabatan perlu mematuhi Dasar Keselamatan ICT Kerajaan. Tugas dantanggungjawab Ketua-ketua Jabatan adalah seperti berikut:

(i) Menentukan semua pegawai dan staf jabatan memahami keperluan standard, garis panduan,prosedur dan langkah keselamatan di bawah Dasar Keselamatan ICT Kerajaan.

(ii) Menentukan semua pegawai dan staf jabatan mematuhi standard, garis panduan, prosedurdan langkah keselamatan di bawah Dasar Keselamatan ICT Kerajaan. Tindakan sewajarnyahendaklah diambil apabila berlaku sebarang perlanggaran keselamatan.

(iii) Menjalankan penilaian risiko dan program keselamatan berpandukan kepada standard, garispanduan, prosedur dan langkah keselamatan ICT.

(iv) Mengadakan Pelan Rancangan Pematuhan yang bertujuan untuk mengurus risiko yang timbulakibat daripada ketidakpatuhan kepada standard, garis panduan, prosedur dan langkahkeselamatan ICT.

(v) Melaporkan kepada MAMPU, Jabatan Perdana Menteri sebarang insiden perlanggarankeselamatan seperti kejadian-kejadian berikut:

• Maklumat didapati hilang, didedahkan kepada pihak-pihak yang tidak diberi kuasaatau, disyaki hilang atau didedahkan kepada pihak-pihak yang tidak diberi kuasa.

• Sistem maklumat digunakan tanpa kebenaran atau disyaki sedemikian.

• Kata laluan atau mekanisma kawalan sistem akses hilang, dicuri atau didedahkan,atau disyaki hilang, dicuri atau didedahkan.

• Berlaku kejadian sistem yang luar biasa seperti kehilangan fail, sistem kerapkali gagaldan komunikasi tersalah hantar.

• Berlaku percubaan menceroboh, penyelewengan dan insiden-insiden yang tidak diingini.

31. Tugas-tugas di atas hendaklah dilaksanakan oleh Pegawai Keselamatan ICT Jabatan yangbertanggungjawab kepada Ketua Pegawai Maklumat (CIO) sepertimana yang dilantik di bawah ArahanKSN Rujukan PM(S) 18114 Jld 13 (74) bertarikh 22 Mac 2000.

MyMIS


TANGGUNGJAWAB AGENSI PUSAT

32. Agensi pusat yang bertanggungjawab ke atas keselamatan ICT kerajaan adalah Unit PemodenanTadbiran dan Perancangan Pengurusan Malaysia (MAMPU), Jabatan Perdana Menteri. TanggungjawabMAMPU adalah seperti berikut:

(i) Memberi pendedahan dan penjelasan mengenai Dasar Keselamatan ICT Kerajaan.

(ii) Mengemaskini Dasar Keselamatan ICT Kerajaan termasuk menetapkan standard, garis panduan,prosedur dan langkah keselamatan dari semasa ke semasa.

(iii) Menyediakan perkhidmatan berpusat untuk menerima laporan insiden keselamatan ICT,penyebaran maklumat dan pelarasan tindakan pembetulan.

(iv) Memantau pelaksanaan dan menguatkuasa Dasar Keselamatan ICT Kerajaan.

PINDAAN DAN KEMASKINI

33. Dasar Keselamatan ICT Kerajaan adalah tertakluk kepada semakan dan pindaan dari semasake semasa selaras dengan perubahan teknologi, aplikasi, prosedur, perundangan dan kepentingansosial. Dasar ini hendaklah dibaca bersama dokumen-dokumen mengenai standard, garis panduan,prosedur dan langkah keselamatan ICT Kerajaan yang akan dikeluarkan dari semasa ke semasa.

MAKLUMAT LANJUT

Sebarang pertanyaan mengenai kandungan dokumen ini atau permohonan untuk keterangan lanjut,boleh ditujukan kepada:

Unit Pemodenan Tadbiran Dan Perancangan Pengurusan Malaysia(MAMPU) Jabatan Perdana Menteri(Bahagian Keselamatan ICT Kerajaan)Aras 6 Blok B2 Parcel BKompleks Jabatan Perdana MenteriPusat Pentadbiran Kerajaan Persekutuan62502 PUTRAJAYATelefon: 03-8888 2250Faks: 03-8888 3286E-Mel: [email protected]

Rangka Dasar Keselamatan ICT Kerajaan ini juga boleh diakses di laman web MAMPU JPM(http://www.mampu.gov.my)

MyMIS

Copyright MAMPU Appendix B - 1

EXAMPLES OF COMMON THREATS

a. Errors and Mistakes that can occur in daily business operations during the processingOmissions of information or data by users. Such mistakes could be due to incorrect

data entry or programming error and these can pose a threat to the integrityof the data and the whole system. Examples are false data entry, dataleakage, etc.

b. Fraud, Theft and Information that is stolen or used for fraudulent purposes. This criminal actImpersonation can be committed either by individuals or a group, insiders/outsiders or

former employees who still have access to the computer system (not terminatedpromptly). Examples include act of masquerading, computer theft, scavenging,etc.

c. Employee Actions by employees to destroy existing systems in retaliation or as vandalism.Sabotage Examples:

• destroying hardware or facilities to ensure the unavailability of the ICTsystem such as network failure, unavailability of hardware parts to operate,etc.;

• destroying programmes or data to discontinue the operations of the ICTsystem;

• entering data incorrectly to make the ICT system produce incorrect dataoutput;

• deleting data to ensure the unavailability of the data to produce an output;and

• installing programme bugs such as viruses into the ICT system

These could also happen if the system accounts of former employees arenot terminated immediately.

d. Loss of Physical Loss due to catastrophe such as power failure, data communication failure,and Infrastructure water leakage, fire, flood, civil disturbance, bomb threat, riots or strikes thatSupport can interrupt business operations. This results in ICT system downtime and

interrupted business transactions. Examples are software piracy, piggybackingand tailgating, asynchronous attack, etc.

e. Malicious These are criminal hackers that could be insiders and/or outsiders who breakHackers into the ICT system without authorisation. Usually a hacker is able to break

into the ICT system either through telecommunications network equipment(e.g. router, switches, hub) and/or communication lines. Hackers are receivingmore attention since they are skilled users of the language code to breakinto the ICT systems. Examples are logic bombs, scavenging, etc.

Appendix B

MyMIS

Copyright MAMPU Appendix B - 2

f. Malicious Code These codes refer to viruses, worms, Trojan Horses, logic bombs, and other‘uninvited’ programmes. They are transmitted through media such as diskette,CD and/or networks such as the internet and intranet. Even though thereare many solutions such as scanning are available to detect and destroythe code, some are not effective. This is due to the fact that the code isbecoming increasingly more complex everyday. Each solution is suitable fora specific or certain code only. Examples are Trojan Horses, computer virus,salami, superzapping, etc.

g. Industrial The act of gathering proprietary data from private companies or the governmentEspionage for the purpose of aiding another company or government. Industrial espionage

can be perpetrated either by companies seeking to improve their competitiveadvantage or by governments seeking to aid their domestic industries.

Foreign industrial espionage carried out by a government is often referredto as economic espionage. Since information is processed and stored onICT systems, ICT security can help protect against such threats; it can dolittle, however, to reduce the threat of authorised employees selling thatinformation.

The three most damaging types of stolen information are pricing information,manufacturing process information, and product development and specificationinformation. Other types of information stolen include customer lists, basicresearch, sales data, personnel data, compensation data, cost data, proposalsand strategic plans.

h. Foreign In some instances, threats posed by foreign government intelligence servicesGovernment may be present. In addition to possible economic espionage, foreign intelligenceEspionage services may target unclassified ICT systems to further their intelligence

missions. Sensitive information that may be of interest include travel plansof senior officials, civil defence and emergency preparedness, manufacturingtechnologies, satellite data, personnel and payroll data, law enforcement,investigative and security files.

MyMIS

Copyright MAMPU Appendix C - 1

Appendix C

EXAMPLES OF COMMON ABUSES, METHODS AND DETECTION

1 Eavesdropping and Spying Eavesdropping

For example wiretapping and monitoring of Voice wiretapping methodsradio frequency emanations. Observation

Tracing sources of equipment used

Spying

Inclusive of criminal acquisition of informationby covert observation.

2 Scanning

The process of presenting information Printouts from demonstrationsequentially to an automated system for the programmes may be used toidentification of those items that receive a incriminate a suspect.positive response (e.g., until a password isidentified)

3 Masquerading

The process of assuming (an intruder) the Audit log analysisidentity of an authorised user after acquiring Password violationsthe user’s ID information Observation

Report by person impersonated

4 Piggyback and Tailgating

Physical piggybacking is a method of Access observationsaccessing to controlled access areas where Interviewed witnessescontrol is accomplished by electronically or Examination of journals and logsmechanically locked doors. Electronic Out-of-sequence messagespiggybacking can occur where individuals use Specialized computer programs thatterminals in an online computer system and analyse characteristics of on linethe system automatically verifies identification. computer user accesses.Tailgating is the process of connecting acomputer user to a computer in the samesession as and under the same identifier asanother computer user, whose session hasbeen interrupted.

5 False Data Entry

The process of changing data before or during Data comparisonits input to computers (e.g. forging, Document validationmisrepresenting, or counterfeiting documents; Manual controlsexchanging computer tapes or disks; Audit log analysiskeyboard entry falsification; failure to enter Computer validationdata; and neutralizing or avoiding controls) Report analysis

Computer output comparisonIntegrity tests (e.g. value limits, logicconsistencies, hash totals, cross footand column totals and forged entry)

MyMIS


6 Superzapping

A utility program used as a systems tool to Comparison of files with historicalbypass all controls and able to modify or copiesdisclose any program or computer-based data. Discrepancies in output reports, asMany program similar to Superzap are noted by recipientsavailable for microcomputers as well. Such Examination of computer usage logspowerful utility programs which are used bysystem programmers and computer operatorscan be dangerous if it falls into the wronghands.

7 Scavenging

It is a process to obtain or reuse information Tracing of discovered proprietarythat may be left after processing or residual information back to its sourcedata left in a computer or computer tapes or Testing of an operating system todisks after job execution. reveal residual data after job execution

8 Trojan Horses

It is the process of making alteration or covert Program code comparisonplacement of computer instructions or data in Testing of suspected programsa program so that the computer will perform Tracing of unexpected events orunauthorized functions. It is the primary possible gain from the act to suspectedmethod used to insert instructions for other programs and perpetratorsacts of abuse (e.g. logic bombs, salami Examination of computer audit logs forattacks, and viruses). This is the most suspicious programs or pertinent entriescommonly used method in computer program-based frauds and sabotage.

9 Computer Viruses

It is a set of computer instructions that can The file size may increase when apropagate copies of versions of itself into virus attaches itself to the program orcomputer programs or data when it is data in the file.executed within unauthorised programs. An unexpected change in the time of

last update of a program or file mayindicate a recent unauthorizedmodification.If several executable programs havethe same date or time in the lastupdate field, they have been updatedtogether, possibly by a virus.A sudden unexpected decrease in freedisk space may indicate sabotage by avirus attack.Unexpected disk accesses, especiallyin the execution of programs that donot use overlays or large data files,may indicate virus activity

10 Salami Techniques

It is an automated form of abuse involving Detailed data analysis using a binaryTrojan Horses or secret execution of an searchunauthorised program that causes unnoticed Program comparisonor immaterial debiting of small amounts of Transaction auditsassets from a large number of sources or Observation of financial activitiesaccounts.

MyMIS


11 Trapdoors

It is a facility created by programmers to Exhaustive testinginsert code that allows them to compromise Comparison of specification tothe requirements of preventing unintended performanceaccess to the computer operating systems Specific testing based on evidenceand unauthorised insertion of modified code,during the debugging phases of programdevelopment and later during systemmaintenance and improvement.

12 Logic Bombs

It involves a set of instructions in a computer Program code comparisonsprogram periodically executed in a computer Testing of suspected programsoperating system that determines conditions\ Tracing of possible gains from the actor state of the computer. Such instructionswould facilitate the perpetration of anunauthorised or malicious act.

13 Asynchronous Attacks

These attacks normally force the System testing of suspected attackoperating system to perform requested jobs methodssimultaneously, which eventually forces the Repeat execution of a job underoperating system to use up all the resources normal and secured circumstancesavailable.

14 Data Leakage

This type of computer crime involves the Discovery of stolen informationunauthorised removal of data or copies of Tracing computer storage media backdata from a computer system or computer to the computer facilityfacility.

15 Software Piracy

Piracy is the copying and use of computer Observation of computer usersprograms illegally in violation of existing laws. Search of computer users’ facilitiesCommercially purchased computer programs and computersare protected by copyright and their use is Testimony of legitimate computerrestricted. program purchasers

Receivers of copied computerprograms

16 Computer Theft

Computer theft, burglary, and sale of stolen Cross check with ICT asset inventorymicrocomputers and components are severe Identification of equipmentproblems because the value of the contents of Observationstolen computers often exceeds the value of Report by ownerthe hardware taken. Audit log

17 Use of Computer for Criminal Perpetration

Use of a computer as a tool in a criminalactivity such as planning, data Investigation of possible computer usecommunications, or control or even simulating by suspectsan existing process or modelling a planned Identification of equipmentmethod for carrying out a crime, or monitoringa crime (i.e. by the abuser) to guarantee thesuccess of a crime can be carried out easily.

MyMIS

Copyright MAMPU Appendix D - 1

Appendix D

EXAMPLE OF CONTENTS LIST FOR AN AGENCY/DEPARTMENT ICT SECURITYPOLICY

1. Introduction

1.1 Overview

1.2 Scope and Purpose of the ICT Security Policy

2. Security Objectives and Principles

2.1 Objectives

2.2 Principles

3. Security Organization/Infrastructure

3.1 Responsibilities

3.2 Security Policies

3.3 Security Incident Reporting

4. IT Security/Risk Analysis and Management Strategy

4.1 Introduction

4.2 Risk Analysis and Management

4.3 Security Compliance Checking

5. Information Sensitivity and Risks

5.1 Introduction

5.2 Information Marking Scheme

5.3 Organization Information Overview

5.4 Organization Information Values/ Sensitivity Levels

5.5 Threats/Vulnerabilities/Risks Overview

6. Hardware and Software Security

6.1 Identification and Authentication

6.2 Access Control

6.3 Accounting and Audit Trail

6.4 Full Deletion

6.5 Malicious Software

6.6 PC Security

6.7 Laptop Security

MyMIS


7. Communications Security

7.1 Introduction

7.2 The Networking Infrastructure

7.3 Internet

7.4 Encryption/Message Authentication

8. Physical Security

8.1 Introduction

8.2 Location of Facilities

8.3 Building Security and Protection

8.4 Protection of Building Services

8.5 Protection of Supporting Services

8.6 Unauthorised Occupation

8.7 PC/Workstation Accessibility

8.8 Access to Magnetic Media

8.9 Protection of Staff

8.10 Protection against the Spread of Fire

8.11 Water/Liquid Protection

8.12 Hazard Detection and Reporting

8.13 Lightning Protection

8.14 Protection of Equipment against Theft

8.15 Protection of the Environment

8.16 Service and Maintenance Control

9. Personnel Security

9.1 Introduction

9.2 Terms of Employment

9.3 Security Awareness and Training

9.4 Employees

9.5 Self-employed People under Contract

9.6 Third parties

10. Document/Media Security

10.1 Introduction

10.2 Document Security

10.3 Storage of Media

10.4 Disposal of Media

MyMIS


11. Business Continuity, including Contingency Planning/Disaster Recovery, Strategy and Plan(s)

11.1 Introduction

11.2 Back-Up

11.3 Business Continuity Strategy

11.4 Business Continuity Plan(s)

12. Telecommuting

13. Outsourcing Policy

13.1 Introduction

13.2 Security Requirements

14. Change Control

14.1 Feedback

14.2 Changes to the Security Policy

14.3 Status of the Document

Source: ISO/IEC 13335 Part 3

MyMIS

Copyright MAMPU Appendix E - 1

Appendix E

A SAMPLE ICT SECURITY RISK MANAGEMENT PROCESS

STEP 1Set up a Risk ManagementCommittee

STEP 2Identify the security issues (threator vulnerabilities) associated withthe department ICT environment

STEP 5Identify the requirements ornecessary safeguards and countermeasures to reduce the impact ofidentified threats to an acceptablelevel

STEP 3Analyse the impact ofthose issues

STEP 4Quantify the severity of therisks or identified theirmonetary impact

STEP 6Implementsafeguards andmonitoreffectiveness

STEP 7Prepare riskmanagement reportand include residualrisk and uncertaintyanalysis

MyMIS

Copyright MAMPU Appendix F - 1

Appendix F

A SAMPLE ICT SECURITY ADHERENCE COMPLIANCE PLAN

MyMIS


Compliance Checklist Plan

No. Compliance Element Compliance checklist Yes No

1. Policies and ● Written and documentedProcedures

● Adopted at the department level

● Approved by management

● Promulgated and communicated to allemployees.

● State management commitment

● Reviewed at regular intervals

● Addressed in the department’s approachesto managing ICT security

● Addressed in the department‘s operatingprocedures, business rules and employees’ethics.

● Identify any legislation, standards, codes ofbest practice or other external requirementswhich the department has to adhere to thataffect its ICT applications

● Be consistent with ethical standardsbinding upon the occupations andprofessions of those employed by thedepartment

● Be accessible and easily understood byintended readers

● Identify the ICTSO together with his/herresponsibilities.

2. ICTSO ● Be assigned by management

● Be knowledgeable on ICT

● Have background, training or interest incompliance issues.➣ Understand roles and responsibilities.

3. Training and ● DevelopEducation ➣ Training plan

➣ dentify audience➣ Identify contents

➣ Implement and monitor the plan

MyMIS


No. Compliance Element Compliance checklist Yes No

4. Communication ● Establish Help Desk

5. Disciplinary Action ● Diplomacy actions taken

6. Audit ● Conduct internal audits at least once a year

● Identify non-compliance

● Report to CIO/ICTSO

● Use auditing tools

7. Corrective Action ● Reporting mechanisms

● Incident response handling

● Roles and responsibilities of variouscommittees

● Recovery steps

● Business resumption plan

MyMIS

Copyright MAMPU Appendix G - 1

Appendix G

A SAMPLE ICT STRATEGIC PLAN

THIS DOCUMENT

This document provides a template for the Agency ISP report. It provides further details on, andexamples of, the documents that will make up the ISP report. Agencies are encouraged to adapt theirexisting tables and diagrams to present the requested information.

The table below provides a guide on the information being provided under each item.

Information on the subject matter

Agency tasks. The information requested is the minimum expected and becomesless prescriptive in the later phases.

Agencies can provide further relevant information to support or clarify the subjectmatter

Examples

Fixed Format Response

Acknowledgment: This template has been based upon the DMR MacroscopeTM.

GENERAL

Agency Name :

Level (please tick relevant box):

Federal GovernmentState GovernmentStatutory BodyLocal Authority

MyMIS


Contact details for Person Responsible for ISP:

Name:

Position:

Address:

Tel No : Fax No:

Email id :

PROJECT INITIATIONProject Plan

If there is an existing ISP and it has been updated or implemented within the last 12 months,then a copy of the ISP can be submitted to MAMPU to confirm sufficiency.

If the latest ISP is more than 12 months old, then there is a need to update it and provide thedetails as requested in the template.

Business Context DefinitionOverview

This phase provides information on the current Agency and IT context that will provide the basisfor the subsequent phases to build their observations and form their recommendations.

It is expected that each Agency has its own vision and mission statement that have been revisedor updated within the last 12 months. Otherwise there is a need to confirm that these statementsare still valid.

Provide the schedule for the identified phases of the ISP.Provide the Manpower plan to carry out the ISP.The plan should be authorised by the Project Manager and have the approval of the Chairmanof the IT Steering Committee.

Mission Statement

Document the Agency’s existing Mission statement.Describe any IT initiative or projects undertaken to support the Mission.

MyMIS


“Our vision is to be a world class performer and a Malaysian leader in providing <services in .....>and to be recognised as such by our customers and suppliers so we will satisfy our customerexpectations for quality services at competitive prices.”

VISION STATEMENT FOR THE MAINTENANCE FUNCTION

BUSINESS VISION INFORMATION SYSTEM VISION

Autonomous work groups will be responsible Systems will set the optimum maintenancefor the maintenance of a group of assets date on the basis of the maintenance rules

and the component’s history

Maintenance personnel will be fewer in The system will intelligently group thenumber but more highly trained and multi- maintenance of related componentsskilled

Periodic maintenance will be reduced in Set the actual maintenance datefavour of on-condition maintenance

Reliable and non-critical components will be On-site maintenance will be assisted bysubject to breakdown maintenance only local access to all relevant maintenance

instructions and drawings in electronic form

All data regarding the maintenanceundertaken (labour, parts, modifications)will be captured on site

Document the Agency’s Strategic Drivers. These should cover business, the organisation andIT.

Describe any IT initiative or projects undertaken to support the Strategic Drivers.

Identify the Strategic Drivers including the government and external environment

The Strategic Drivers are those things that must be done well if the mission and objectives ofthe Agency are to be achieved.

They represent critical points in the business where leverage may be available. IT may play apart in assisting some of these drivers. It is essential to know the role of IT in assisting thesedrivers.

Vision statement

Document the Agency’s existing Vision statement.

Describe any IT initiative or projects undertaken to support the Vision.

MyMIS


State the trends and targets for the Agency’s main performance indicators. It should includefinancial targets (such as revenue, HR costs, IT expenses). Non-financial targets (such as clientservice level turnaround time) are also important.

Key performance indicators and trends

A SWOT (strengths, weaknesses, opportunities and threats) analysis of the Agency’s supportfunctions covering areas such as organisations, human resources, technology and functionalcapabilities.

SWOT analysis of support functions

The Agency Strategic Business Drivers were identified as:

● Implementation of customer driven business strategies and operations with emphasis onvalue adding customer service;

● Use of IT to optimise management of work and resources;

● Integration of strategic directions and initiatives with business operations, particularly in theco-ordination of change;

● Operating on a commercially competitive basis with commercial financial management practices;

● Alignment of Agency plans with the objectives and directions outlined within the ElectronicGovernment Blueprint;

● Availability of a skilled and motivated work force with clear purpose, accountability andresponsibility.

State the trends and issues in the Agency external environment ( including the use of IT ) forthe identified areas :

Key products & services

Customers

Distribution or access channels e.g. information or products to be provided to clients or otheragencies, or access channels to the Agencies services or products

Provide this information in a diagram, such as a context diagram. The diagram should show theAgency’s supply chain (including other agencies), clients and other external organisations theAgency must deal with in order to deliver its mission.

State the key factors that need to be managed for the Agency to meet its business objectives.

Business Environment—External

Business Environment—Internal

It is expected that Agencies will have developed key measures that describe the size and extentof their operations, in addition to key performance indicators used to manage its operations.

MyMIS


Findings from recent surveys and studies such as organisation reviews, etc.

If there are any surveys or studies carried out in the last 2 years, provide a brief synopsis ofthe findings emphasising any implications of the strategy for IT.

Show the Agency organisation chart with a brief description of the accountabilities of eachfunctional area. Include the reporting line for the IT organisation. List the key standing committeesand their area of responsibility. Include the Chairman and the members.

Functional roles & accountabilities

This is to provide information on Agency readiness to implement change, which is required inorder to transform the organisation. The readiness of the Agency will depend on the existingability and experience of staff and management in relation to organisational change.

Generally, if an organisation has been exposed to major change, then it will be better preparedto embark on the ISP migration plan and manage the risks involved.

Capacity for Change

Identify any change programmes the Agency has carried out in the last 3 years including organisationalrestructuring, introduction of new processes and procedures and new IT projects.

This information can be illustrated by means of a context diagram showing the Agency’s importantfunctions and the information flows between them.

Organisational ReviewHigh-level business model

List the issues that each senior manager identifies that he/she would like to resolve to betterachieve his/her business objectives.

List the areas the senior managers identify could be more effective with IT support or improvedIT service levels.

Identify any external comparisons that provide ‘best practice’ measures on the Key PerformanceIndicators.

Review of key management processes

MyMIS


IT Literacy

This is to provide an insight as to the IT knowledge of the Agency population, other than theIT department. Measures that describe IT literacy could include: the number of staff with a PC;number with access to PC; experience with managing a remote node of a network; non-IT staffinvolved with the integrity of the Agency data, the number of staff with MS Office skills, etc.

Provide measures that describe the IT literacy of the Agency staff and their key clients

BASELINE IT ASSESSMENTReview of Current Information Technology Environment

Applications Portfolio

This is not restricted to classic MIS application systems, but includes all applications of IT tosupport business requirements (e.g. office technology, voice/image...). These applications mightbe applications developed by user departments other than IT

Identify existing application systems:Big 10 : the 10 applications which make the most contribution to supporting the business, especiallythe strategic driversNew 10: the 10 most recently developed applications, which make critical contributions to thebusiness. These applications may or may not overlap with the Big 10,Next 10: the projects currently underway which are intended to make critical contributions to thebusiness.For each application identified, provide :● a short description of the application explaining its main functional areas and main group

of users● an assessment of its value to the Agency such as High, Medium or Low● an assessment of the underlying IT Technology such as Leading Edge, Current or Out of

date● the number of master records for the application and the size of it’s database● the number of transactions per day (Provide the volume for a relevant measurement period).

Technology penetration

Assess the level of IT investment and usage. Provide the following information :● Amount of IT investment for Hardware & software for past 3 years● Amount of IT expenses for Overhead (such as salary ) for the past year● No of employees in the whole organisation● No of PCs not LAN connected● No of LAN connected PCs● Identify other terminal devices (e.g. VDUs, printers) and the number for each type● No of Processors● No of users with email access● No of users with Internet access● No of users with MS Office (Word, PowerPoint & Excel) skills.

MyMIS


IT organisation, resources and skills

Provide the existing IT organisation structure and headcount including the reporting channel tomanagement and any outsourced services. Identify the number of permanent and contractingpersonnel in the organisation structure. Also include people outside the IT department but whodo IT work or who have a working liaison with IT as part of their job.Identify the existing experience and skills level.Identify the typical IT projects carried out and whether they are implemented internally or withexternal assistance.Provide an indication on the user satisfaction level to the IT range and quality of services.

IT management process

Listed are some examples of IT management processes.Development and Maintenance e.g. applications planning, monitoring and control; data management,application/software development and upgrade, tuning and system balancing,Management e.g. financial planning, monitoring and control,Service Delivery e.g. service level management, security managementResource Management e.g. capacity, skillsResource Control e.g. change controlService Control e.g. production and distribution scheduling,Information Services e.g. production, distribution, network management

Identify the existing management processes being practised.

Indicate when the documented policy and procedures were last updated or reviewed.

Provide the Table of Contents for each of the documented internal management processes, whichare being adhered to.

ISO 9000 accreditation

Identify the areas or processes, which the Agency have completed or are working towards ISO9000 accreditation. For each of these areas, provide the following details:

● The current progress,

● The completed date or planned time frame in achieving the accreditation.

● IT Service Level Management

● Does service level agreement exist for:

● major applications,

● infrastructure (such as desktop and network),

● IT support.

If yes, summarise the key service levels for each of the above.

IT environment

It is expected that each Agency can provide high level, or Architecture diagrams that describethe IT environment. These would normally cover applications, data and IT infrastructure (Host,or network computers, networks, etc.)

Provide the Architecture Layer Diagrams for the Agency. At the very least, it should cover:production environment,development and testing environment.

MyMIS


Refer to Example 1 in Sample Diagrams.

Provide Network Diagrams for the Agency’s network which show:

● LAN,

● WAN,

● Connectivity to public networks,

● Connectivity to other external organisations and agencies

● Include information such as bandwidth, location topology and protocols.

Refer to Example 2 - 4 in Sample Diagrams.

Strategic DirectionsSummary

Based on the analysis of the corporate strategies, business drivers and the current businessand IT assessment, develop the agreed model of the transformed organisation. This may requirethe use of business process re-engineering (BPR) techniques.

The transformed organisation

Provide the model(s) which describe the transformed organisation.Describe the changes in the Agency, its business practices, supply & delivery channels, etc.required to satisfy the strategic drivers.

Role of Information Technology in supporting the new organisation

Determine the business drivers for IT that will drive changes to the IT organisation, its businesspractices, its services and if necessary, its IT infrastructure.

Implications of IT for the new organisation

Determine the changes IT will need to undergo in order to support the transformed organisation

Opportunity Areas

Determine the immediate opportunity areas in which IT can provide leverage to the business

MyMIS


IT OPPORTUNITY QualificationSummary

This phase builds on the work of the Strategic Directions and identifies all the IT opportunitiesto support the Agency to achieve its target. These opportunities should be assessed against thereality of IT services, facilities and staff capability, the business priority and the resulting benefits.This phase will produce the list of IT projects to be carried out through the ISP.

Summary of projects identified, concentrating on business case aspects

Provide a summary list of identified IT projects in a table with an assessment of:

● Strategic value to Agency

● Benefits to be delivered

● Costs

● Priority

● Risk

● Implementation impact

● IT impact

● EG alignment.

Summary of cost/benefit analyses

Provide a summary list of identified IT projects and their projected costs and benefits, bothtangible and intangible.

Project Definition (to be treated for each recommended project)

For each recommended project provide :

● Project overview

● New environment scenario

● Project Objective

● Target user groups

● Resources required (people, costs, other,.....)

● Architectural implications

● Technical feasibility

● Key dependencies

● Overall schedule

● Expected benefits

● Cost estimates

● Risk assessment

● Impact assessment

MyMIS


Deferred Projects

Provide a list of the deferred projects with the following:

● Description of deferred project

● Reasons for deferment

● Plans for re-examination

TARGET IT INFRASTRUCTUREVision for Information Technology

The IT vision will be based upon the findings of the Baseline IT assessment and the businessvision. It will describe the changes that IT management will need to implement to support thetransformed organisation. This deliverable will provide the focus for IT projects during the ISPtimeframe

Provide the Agency IT vision and mission statement to support the transformed organisation.

Provide a summary of the IT support required for the transformed organisation.

Describe the key IT policies and principles.

List the IT business drivers.

List the IT organisational changes required.

IT Group aim to be:

● A strategic asset that is flexible and enhances the Agency’s opportunities for growth andbusiness performance.

● A fundamental part of business re-engineering and total quality processes - a facilitator andcatalyst of change - providing managed leverage and value add to the business.

● Demonstrate support for EG polices and directions through the submission of aligned projectsfor funding.

● Managed as a business issue not a technical one.

● Supplied by value adding service and product suppliers both internal and external to theAgency working in partnership with the business.

● Meeting the balanced and justified needs of both the Agency and its operating units.

● An area where the Agency excels and focuses on the application of Information Technologyfor business advantage.

● Clearly enjoying the benefits of consistency with IT standards and policies, which are manifestedin enhanced flexibility, cost efficiency and effectiveness, managed risk and business advantage.

MyMIS


Information Technology Infrastructure

Applications Portfolio

Provide a list of the application systems according to the following grouping :

● Prime business applications—which support the Agency business objectives and EG’s objectives

● Internal management applications—which support internal management such as HR, projectmanagement

● Support applications such as word processing, workflow, e-mail, document management.

● Provide high-level diagrams of applications for the target organisation showing the applicationsand their interfaces, including applications of external agencies and organisations, if appropriate.

Data model

Provide a high level Data Model at the “data subject” level to show the information base of thetransformed organisation.

IT Delivery Model

Provide the following diagrams to show what and how IT will be delivered to the users :

● Architecture Layer Diagrams

● Network Diagrams

● Technology Zone Map

(Refer to the requirement for the current IT environment in Section 6).

IT ManagementIT Organisation & Manpower

This phase defines the IT management structure, practices and skills, etc. to support the transformedorganisation.

IT Steering Committee

If there is no existing IT Steering Committee, indicate whether there are any plans to establishsuch a Committee and when it will be set up.

MyMIS


IT Organisation Chart

Provide the target IT organisation structure to support the transformed organisation.

Indicate the user access channels to obtain support.

Provide the critical support departments that are required to work with IT or to support IT (e.g.Business Process Management, Systems & Methods).

Provide the strategies such as internally provided system integrators or outsourcing, etc for theAgency to provide the required support.

IT Skills Required

Identify the IT skills required to support the target IT organisation and how the agency plan toequip itself with the required skill set. Information needed include :

● Skills required,

● Is it available internally,

● How to obtain the skills required. (e.g. recruitment, internal development, use of consultants,outsourcing).

Headcounts

Indicate the number of personnel estimated to staff the target IT and any new support departments.

Service Level Management

Describe :

● IT services required,

● Service level targets.

IT Management Processes (defined for each key process with recommended changes)

Provide a description of the IT Management processes to be implemented. Include :

● Purpose of the process,

● Stakeholders,

● Proposed changes.

Migration PlanningSummary

The Migration Plan for the ISP period sets out the projects and time frame that will move theAgency from its current state to the transformed organisation.

MyMIS


Provide:

● A summary of the Migration Plan,

● Brief overview of objectives, key agency objectives and migration strategy.

● Brief description of key projects (objective/deliverable, delivery date, cost/benefit, significantrisk issues).

Financial Summary

Provide a table of recommended projects with their cost benefit information.

Implementation Strategy

Provide the implementation strategy including :

● Summary of target environment (overall organisation and IT environment),

● Major migration objectives for next 3 to 5 years,

● Approach and phases to migrate to target environment,

● Change management issues and recommendations.

Projects Schedule (For next 3 to 5 years)

Provide a Gantt chart, which shows a schedule of all recommended projects. Include the ITmanagement initiatives identified during the IT Management phase.

EXECUTIVE SUMMARYExecutive Summary

The Executive Summary is an important deliverable that will provide the Agency and otherGovernment staff a clear overview of the Agency ISP. It will hopefully encourage Agency staffto read the detailed sections that comprise the ISP.

Provide a summary for the executive group that summarises the key findings and recommendations.

MyMIS


Sample DiagramsExample 1 - Architecture Layer Diagram

Architecture Host System LAN WorkstationsLayer Servers

Applications For budgeting and For relatively routine business and corporateother special core functions (HR, GL, AP, Library and Recordsbusiness functions, a Mgt etc) application packages preferablysuite of systems, running on the LAN file serverscustom designed tomeet Agencyrequirements andinterfaced whereappropriate to thefinancial system,SAGA

Tools Potentially an Standard MS Office EnvironmentEconomic Modelling (Word, Excel, PowerPoint)Took E-mail (MS Mail)

Tools High ProductivityDevelopment

Development Environment Standard User-Developer small systemsEnvironment (Windows-4GL, development environment (MS Access)

Powerbuilder, Visualbasic)

DBMS SQL based RelationalDatabase (Oracle,Informix, Sybase)

User Interface Microsoft Environment (MS Windows or Work Groups for Windows)

Access Security Transparent Network and Database Security

Network Robust network operating system (Novell)

Operating Systems An open systems MS DOS MS DOSOperating System Windows(UNIX, Windows NT) NT

Hardware Platform High Performance PCs - Desk Top PCsHost Processors(s) Pentium Notebook PCs(HP, IBM, etc) Firewall

File Servers

MyMIS


Example 2—Technology Zone Map

MyMIS


MyMIS

Copyright MAMPU Appendix H - 1

Appendix H

KERAJAAN MALAYSIA


MEKANISME PELAPORANINSIDEN KESELAMATAN TEKNOLOGI MAKLUMAT

DAN KOMUNIKASI (ICT)

JABATAN PERDANA MENTERIMALAYSIA

Dikelilingkan Kepada:



Semua Ketua Pengurusan Badan Berkanun Persekutuan



MyMIS


JABATAN PERDANA MENTERI MALAYSIA Telefon: 603-8888 1957KOMPLEKS JABATAN PERDANA MENTERI Faks: 603-8888 3721PUSAT PENTADBIRAN KERAJAAN PERSEKUTUAN62502 PUTRAJAYA

Rujukan Kami: PM (S) 10034 Jld. 8 (96)Tarikh: 4 April 2001

Semua Ketua Setiausaha KementerianSemua Ketua Jabatan PersekutuanSemua Ketua Pengurusan Badan BerkanunSemua Y.B. Setiausaha Kerajaan NegeriSemua Ketua Pengurusan Pihak Berkuasa Tempatan


MEKANISME PELAPORANINSIDEN KESELAMATAN TEKNOLOGI MAKLUMAT

DAN KOMUNIKASI (ICT)

TUJUAN

Pekeliling ini bertujuan untuk menjelaskan mekanisme pelaporan insiden keselamatan teknologi maklumatdan komunikasi (ICT) bagi sektor awam.

LATAR BELAKANG

2. Rangka Dasar Keselamatan Teknologi Maklumat dan Komunikasi Kerajaan yang dikeluarkan pada1 Oktober 2000 melalui Pekeliling Am Bil. 3 Tahun 2000 telah merumuskan keperluan penguatkuasaan,kawalan dan langkah-langkah yang menyeluruh untuk melindungi aset ICT kerajaan bagi menjaminkesinambungan urusan kerajaan dengan meminimumkan kesan insiden keselamatan. Dengan itu satumekanisme perlu diwujudkan untuk memantau perkara ini dan menentukan semua agensi sektorawam mematuhi dasar dan tatacara keselamatan ICT dan pada masa yang sama meningkatkankesedaran mengenai keselamatan ICT di sektor awam.

INSIDEN KESELAMATAN

3. Insiden keselamatan bermaksud musibah (adverse event) yang berlaku ke atas sistem maklumatdan komunikasi (ICT) atau ancaman kemungkinan berlaku kejadian tersebut. Ia mungkin suatu perbuatanyang melanggar dasar keselamatan ICT samada yang ditetapkan secara tersurat atau tersirat.

4. Kejadian insiden boleh berlaku dalam pelbagai keadaan. Insiden yang ketara dan sering berlakudi masa kini termasuk kejadian-kejadian berikut:

(a) Percubaan (sama ada gagal atau berjaya) untuk mencapai sistem atau data tanpa kebenaran(probing);

(b) Serangan kod jahat (malicious code) seperti virus, trojan horse, worms dan sebagainya;

MyMIS


(c) Gangguan yang disengajakan (unwanted disruption) atau halangan pemberian perkhidmatan(denial of service);

(d) Menggunakan sistem untuk pemprosesan data atau penyimpanan data tanpa kebenaran(unauthorised access); dan

(e) Pengubahsuaian ciri-ciri perkakasan, perisian atau mana-mana komponen sesebuah sistemtanpa pengetahuan, arahan atau persetujuan mana-mana pihak.

5. Semua insiden keselamatan ICT yang berlaku di mana-mana agensi perlu dilaporkan kepadaGovernment Computer Emergency Response Team (GCERT), satu pasukan khas yang ditempatkandi MAMPU bertanggungjawab menangani semua aduan mengenai insiden yang dilaporkan. Semuamaklumat adalah SULIT, dengan itu tidak boleh didedahkan tanpa kebenaran agensi berkenaan.

TUJUAN PELAPORAN

6. Laporan mengenai insiden keselamatan ini adalah penting kepada GCERT untuk mendapat maklumatbagi membolehkannya menyediakan bantuan teknikal kepada agensi-agensi yang terlibat. Maklumatyang terkumpul juga boleh dijadikan panduan dalam menangani insiden yang sama yang berlaku dilokasi-lokasi yang lain. Ia juga boleh digunakan sebagai panduan bagi mengelak daripada kejadianyang sama berulang. Semua laporan yang diterima oleh GCERT akan dikumpulkan dalam pangkalandata dan maklumat ini merupakan input penting kepada perancangan strategik dan pemantauanmengenai keselamatan ICT di sektor awam. Dalam proses menyelesaikan sesuatu masalah, GCERTakan bekerjasama rapat dengan agensi terlibat dan pihak-pihak lain yang berkaitan. Interaksi sepertiini akan dapat meningkatkan pengetahuan di samping memupuk kerjasama dan hubungan baik diantara agensi.

TANGGUNGJAWAB GOVERNMENT COMPUTER EMERGENCYRESPONSE TEAM (GCERT)

Government Computer Emergency Response Team (GCERT) di MAMPU adalahbertanggungjawab menangani semua laporan insiden keselamatan ICT yang melibatkan sektorawam. Secara amnya tugas GCERT adalah seperti berikut:

(a) Menerima dan mengambil tindakan ke atas insiden keselamatan yang dilaporkan;

(b) Menyebarkan maklumat bagi membantu pengukuhan keselamatan ICT sektor awam darisemasa ke semasa;

(c) Menyediakan khidmat nasihat kepada agensi-agensi dalam mengesan, mengenalpasti danmenangani sesuatu insiden keselamatan; dan

(d) Menjadi penyelaras dengan pihak-pihak yang terlibat seperti Malaysian Computer EmergencyResponse Team (MyCERT), pembekal, Internet Service Provider (ISP) dan agensi-agensipenguatkuasa.

KEUTAMAAN TINDAKAN

8. Tindakan ke atas insiden yang dilaporkan akan dibuat berasaskan keparahan sesuatu insiden.Secara amnya keutamaan akan ditentukan seperti berikut:

Keutamaan 1:

Aktiviti yang berkemungkinan mengancam nyawa atau keselamatan negara.

MyMIS


Keutamaan 2 :

(a) Pencerobohan atau percubaan menceroboh melalui infrastruktur internet ke atas:

i. Domain Name Servers (DNS)

ii. Network Access Points (NAPs)

iii. Pusat-pusat pangkalan data utama

(b) Halangan pemberian perkhidmatan yang meluas (Distributed Denial of Service);

(c) Serangan atau pendedahan bahaya terbaru (new vulnerabilities); atau

(d) Jenis-jenis insiden lain seperti:

i. Pencerobohan melalui pemalsuan identiti

ii. Pengubahsuaian laman web, perisian, atau mana-mana komponen sesebuah sistemtanpa pengetahuan, arahan atau persetujuan pihak yang berkenaan; atau

iii. Gangguan sistem untuk pemprosesan data atau penyimpanan data tanpa kebenaran.

TANGGUNGJAWAB AGENSI PELAPOR

9. Agensi yang mengalami insiden keselamatan adalah dimestikan melapor setiap insiden kepadaGCERT. Setiap agensi perlu menyediakan prosidur operasi atau Standard Operating Procedure (SOP)berdasarkan infrastruktur ICT masing-masing supaya setiap insiden yang berlaku dapat ditanganidengan segera dan sistematik. Tugas-tugas ini diletakkan di bawah tanggungjawab Ketua PegawaiMakumat (CIO) dan Pegawai Keselamatan ICT (ICTSO).

10. Tugas CIO dalam aspek ini adalah seperti berikut:

(a) Menguruskan tindakan ke atas insiden yang berlaku sehingga keadaan pulih;

(b) Mengaktifkan Business Resumption Plan (BRP) jika perlu; dan

(c) Menentukan samada insiden ini perlu dilaporkan kepada agensi penguatkuasaan undang-undang/keselamatan.

11. Secara khusus tugas ICTSO dalam menangani insiden keselamatan ICT pula adalah sepertiberikut:

(a) Menentukan tahap keutamaan insiden;

(b) Melaporkan insiden kepada GCERT; dan

(c) Mengambil langkah pemulihan awal.

PROSES PELAPORAN

12. Proses pelaporan dijelaskan di lampiran A. Lampiran A1 menunjukkan hubungan antara agensidan entiti yang terlibat dalam proses pelaporan manakala Lampiran A2 merupakan aliran kerja terperincibagi proses pelaporan insiden keselamatan ICT sektor awam.

KAEDAH PELAPORAN

13. Laporan boleh dibuat menggunakan kaedah-kaedah berikut:-

(a) Mel Elektronik (E-mel) :-

Alamat e-mel : [email protected]

(b) Borang Pelaporan Insiden :-

Boleh diperolehi di laman : http://gcert.mampu.gov.my

MyMIS


(c) Telefon Hotline

Nombor tel. : 03-88883150

(d) Faks

Nombor faksimili : 03-88883286

(e) Bagi agensi yang mempunyai kemudahan aplikasi PGP (Pretty Good Practice) sila gunakanPGP Public Key seperti di bawah untuk encrypt laporan yang akan dihantar kepada GCERT.Key tersebut juga boleh didapati di laman web GCERT:- http://gcert.mampu.gov.my

KHIDMAT NASIHAT

14. Sebarang kemusykilan yang timbul berkaitan dengan Surat Pekeliling ini hendaklah dirujuk kepadaGCERT, seperti di bawah:

Government Computer Emergency Response Team (GCERT)Bahagian Keselamatan ICT, MAMPUAras 5, Blok B1, Parcel BKompleks Jabatan Perdana MenteriPusat Pentadbiran Kerajaan Persekutuan62502 PUTRAJAYA

No. Hotline : 03-88883150No. Faksimili : 03-88883286E-mel : [email protected]

15. Khidmat GCERT boleh diperolehi setiap hari bekerja mulai pukul 8.15 pagi hingga 4.45 petang.Sekiranya agensi menghadapi insiden yang kritikal, iaitu insiden di bawah Keutamaan 1, di perenggan8, GCERT boleh dihubungi serta merta dan jika ia berlaku di luar masa pejabat, pegawai yang bolehdihubungi adalah seperti berikut:

(a) Bahagian Keselamatan ICT

(i) Pengarah : 03-88882250

(ii) Timbalan Pengarah : 03-88882581

(b) Pasukan GCERT:

(i) Pengurus : 03-88882273

(ii) Pegawai : 03-88882587

TARIKH KUATKUASA

16. Surat arahan ini berkuatkuasa mulai tarikh surat ini dikeluarkan.

(TAN SRI SAMSUDIN BIN OSMAN)Ketua Setiausaha Negara

MyMIS


LAMPIRAN A

MyMIS


PE

LA

PO

RIC

TS

OC

IOG

CE

RT

AG

EN

SI

MyC

ER

T/I

SP

PE

NG

UA

TK

UA

SA

/K

ES

EL

AM

ATA

N

La

po

r in

sid

en

Insi

de

n d

ike

san

Jala

nka

n s

iasa

tan

aw

al

Pe

rtim

ba

ng

kan

pe

rka

rab

eri

kut

sam

a a

da

:1

.Ta

ha

p k

ritik

al

insi

de

n b

ole

hm

en

ga

nca

msi

ste

m l

ain

;2

.F

akt

or

ma

saa

da

lah

kri

tika

l;d

an

3.

Da

sar

kese

lam

ata

na

tau

Un

da

ng

-u

nd

an

g t

ela

hd

ilan

gg

ari

Jala

nka

n l

an

gka

h-

lan

gka

hp

em

elih

ara

an

bu

kti

(Ru

juk

SO

P)

La

po

r ke

pa

da

CIO

5.2

Ra

jah

2 :

Ja

du

al

Terp

eri

nc

i B

ag

i P

rose

s K

erj

a P

ela

po

ran

In

sid

en

Ke

sela

ma

tan

IC

T A

ge

nsi

ya

ng

te

rlib

at

▼▼ ▼ ▼ ▼

▼

A

MyMIS


▼A B

C

▼ ▼▼

▼ ▼

D

▼

PE

LA

PO

RIC

TS

OC

IOG

CE

RT

AG

EN

SI

MyC

ER

T/I

SP

PE

NG

UA

TK

UA

SA

/K

ES

EL

AM

ATA

N

▼▼ ▼

▼

▼

Teri

ma

la

po

ran

insi

de

n

Akt

ifka

n P

ela

nK

esi

na

mb

un

ga

nP

erk

hid

ma

tan

(BR

P)

j ika

pe

rlu

La

po

r ke

pa

da

GC

ER

T

▼A

da

kah

in

sid

en

pe

rlu

tin

da

kan

un

da

ng

-un

da

ng

?

T

Y•

Da

fta

rin

sid

en

•R

eko

dm

akl

um

at

insi

de

n

Ka

ji in

sid

en

Pe

rlu

kah

ba

ntu

an

MyC

ER

T?

YT

Be

rikh

idm

at

na

sih

at/

perk

ongs

ian

ma

klu

ma

t

MyMIS


▼C E▼

D

PE

LA

PO

RIC

TS

OC

IOG

CE

RT

AG

EN

SI

MyC

ER

T/I

SP

PE

NG

UA

TK

UA

SA

/K

ES

EL

AM

ATA

N

Y

T

▼

▼

▼

▼▼

▼

Pe

rlu

kah

sia

sata

nla

nju

td

i lo

kasi

ag

en

si?

Be

ri b

an

tua

np

en

yele

saia

nm

asa

lah

insi

de

nse

cara

rem

ote

Re

kod

ma

klu

ma

ttin

da

kan

ya

ng

dia

mb

il d

an

tutu

p k

es

insi

de

n

Jala

nka

np

en

yia

sata

nte

rpe

rin

cid

en

ga

nke

rjsa

ma

ICT

SO

di

loka

si

Be

ri k

erj

asa

ma

kep

ad

a K

um

pu

lan

GC

ER

T

Ad

aka

hm

asa

lah

sele

sai?

Mak

lum

kep

ada

ag

en

si a

kan

keh

ad

ira

nK

um

pu

lan

GC

ER

T

▼T

Y

MyMIS


▼E ▼

PE

LA

PO

RIC

TS

OC

IOG

CE

RT

AG

EN

SI

MyC

ER

T/I

SP

PE

NG

UA

TK

UA

SA

/K

ES

EL

AM

ATA

N

Tind

akan

IR

Hdi

lok

asi:

•K

awal

kero

saka

n•B

aikp

ulih

min

ima

deng

anse

gera

•S

iasa

tan

insi

den

deng

ante

rper

inci

•Ana

lisa

Impa

k(B

usin

ess

Impa

ctA

naly

sis)

•Has

ilkan

lapo

ran

Insi

den

•Ben

tang

dan

kem

ukak

anla

pora

nke

pada

agen

si•S

elar

aska

ntin

daka

n di

anta

ra a

gens

ida

n A

gens

iP

engu

atku

asa/

Kes

elam

atan

(jika

berk

enaa

n)

Rek

od l

apor

anda

n tu

tup

kes

insi

den

▼B

Am

bil

tinda

kan

ke a

tas

insi

den

yang

men

yala

hiun

dang

-und

ang

dan

pera

tura

nbe

rkai

tan

(Ker

jasa

ma

deng

anG

CE

RT

di

loka

si j

ika

perl

u)

▼

MyMIS

Copyright MAMPU Appendix I - 1

Appendix I

A SAMPLE HELP DESK REPORTING FORM

Name : ——————————————————

Location : ——————————————————

Date/Time : ——————————————————

Description of Problem : ——————————————————

Date of Occurrence : ——————————————————

Level : Less Critical Medium Critical

Action : ——————————————————

Action Taken By : ——————————————————(Date/Time)

MyMIS

Copyright MAMPU Appendix J - 1

Appendix J

A SAMPLE EMPLOYEE AWARENESS FORM

EMPLOYEE AWARENESS FORM

Employee Awareness Form is to find out about the security awareness of the staff.

Please write your details below:

Organisation :

Department :

Name and Position :

Date :

MyMIS


Physical Security

Is your computing equipment properly secured?

Is your computer inside an area which is not easily accessible to someone

who might steal it or its components?

Is your office properly secured when no one is there?

Virus and Threat Protection

Do you have the latest anti-virus software for your computer?

Do you usually scan to check all floppies for viruses before you use them?

Do you use different disks between your home and office computers?

Does your organisation scan servers and desktops periodically

for security vulnerabilities?

Operating Systems

Are the operating systems you use updated with current security “patches’?

Do you feel that the file permissions are verified and set properlyon your servers?

Application Software

Are your common applications configured for security?

Does the staff have the appropriate level of access to applications based

on their current responsibilities?

Is application access promptly removed for employees who have left thedepartment?

Confidentiality of Sensitive Data

Do you work with sensitive information such as financial data or personnelrecords?

Are you exercising your responsibility to protect sensitive data under your

control?

Are you aware that sensitive data or memo send via e-mail should beencrypted?

Record your assessment by checking at the appropriate columns.

Security Element Yes No

MyMIS


Passwords

Have you changed your password in the last one-month?

Do you use different passwords for office administrative work as you do

for other activities such as Web surfing?

Do you keep your password secret from your friends, co-workers or boss?

Disaster Recovery

Does your organisation have a disaster recovery plan?

Would you be able to continue working without your computer?

Do you know what to do and whom to contact if you have an ICTcomputer security incident?

Data Back-up and Restoration

Do you back-up all important files or records?

Have you back-up your computer files this week?

Is your back-up data stored in a secured site?

Encryption

Do you know what encryption is?

Are Official Secret data in your organisation encrypted?

Do you encrypt Official Secret information stored digitally?

Security Awareness and Education

Are you aware of your organisation or departmental ICT security policies,guidelines or procedures to protect information?

Do you always use licensed software?

Do you register shareware in your office?

Have you had any training on ICT computer security?

MyMIS

Copyright MAMPU Appendix K - 1

Appendix K

A SAMPLE EMPLOYEE SECURITY CHECKLIST

Yes No

Is there an individual or department responsible for computer related security?

Are applicant references and background fully checked prior to employment?

Do relevant employees sign the agreement?

Are all new personnel advised on internal security practices?

Is there a formal manual defining the organisation’s security standards andprocedures?

Is this manual mandatory reading for new personnel?

Are changes in security practices incorporated in the manual and disseminatedto the staff?

Is there an on-going programme of computer security education for all userpersonnel?

Is the programme kept current?

Is there an individual or a committee responsible for monitoring compliance withsecurity standards and procedures?

Is a security check carried out for contract and temporary personnel?

Are the security arrangements for temporary personnel the same as those offull time employees?

Are identifications used to identify personnel?

Do the identifications indicate the level of employment security?

Are all personnel engaged in confidential or other sensitive work requested toleave immediately on resignation or dismissal?

MyMIS

Copyright MAMPU Appendix L - 1

Appendix L

DISASTER RECOVERY AND CONTINGENCY PLANNINGCHECKLIST FOR ICT SYSTEMS

I. GETTING READY

A. Obtain written commitment from top management of support for contingency planningobjectives.

B. Assemble the contingency planning team to include one or more permanent membersfrom:

1. Computer support staff

2. Operational or unit managers

3. Facilities management

4. Department Safety Committee

5. ICTSO

C. Provide for the planning committee to include participation on an “as needed” basisfrom the following departments:

1. Internal Audit (compliance)

2. Police (coordination)

3. Information & Communications Technology (ICT)

4. Others as required.

D. Define the responsibility of planning committee members. Appoint;

1. Moderator to facilitate planning meetings

2. Secretary to take and prepare meeting notes and agenda’s

3. Administrator to aggregate meeting materials

II. GATHERING NECESSARY INFORMATION - RISK ASSESSMENT

A. Prepare a written description of the mission - critical functions of the Department andUnits.

B. Identify the areas impacted by an emergency:

1. Functional Operation of the Department

2. Service to Clients/ Staff

3. Obligations to Vendors/ Suppliers/ Agencies

4. Relations with Other Departments

5. Department Credibility

6. Other Departmental Impacts

MyMIS


C. Define and establish estimated potential losses and liability to the department due tolost or delayed functions, in order of severity of the emergency:

Severity Amount or range (RM) Duration

1. Catastrophic

2. Major

3. Serious

4. Limited

D. Determine which critical department functions depend on ICT systems. List criticalfunctions with the associated ICT system(s). Contingency planning for critical functionsbeyond their information systems components should be referred to the departmentrecovery planning effort.

E. Establish the vulnerability of ICT systems by examining possible consequences andfrequency of specific emergencies.

Specific Emergencies Possible Consequences

1. Earthquake 1. Prohibited Access

2. Fire 2. Disrupted Power

3. Flood 3. Power Outage

4. Landslide 4. Water Damage

5. Bomb/ Explosion 5. Smoke Damage

6. Sabotage 6. Chemical Damage

7. Power Failure/ surge 7. Structural Damage

8. Other? 8. Communication loss

9. Other?

F. Using the information in A through E make a prioritized list of mission critical ICTsystem functions for restoration in an emergency.

III. GATHERING NECESSARY INFORMATION - RESOURCE ASSESSMENT

A. Survey the systems and data which are critical to the Department’s functions. Developflow charts of the results. Verify flow diagrams with appropriate system administrator.The survey should ascertain:

1. Source of all data used in the system

2. Nature of information or report

3. Frequency of need for data

4. How the data is obtained, paper, e-mail, remote access download, tape or disk.

5. Who in department receives or retrieves data.

MyMIS


6. Who on the department do you speak to about access to the data? Will they beavailable in an emergency?

7. What is the impact if this data is not available

8. Hardware/ OS software

9. Network.

10. Applications.

B. Determine if the current backup plan is adequate for the completed risk assessmentand includes the following features:

1. Routine periodic backups,

2. Clear backup “strategy” (full vs. incremental backups, frequency, etc.),

3. Off-site storage and retrieval procedures,

4. Alternate processing site (hot, warm, or cold site)

C. Complete a resource inventory in each of the following areas (items that might haveto be replaced):

1. Equipment

a. Computer hardware

b. Network hardware

c. Other equipment

2. Documentation

a. Procedure manuals/ handbooks

b. Software

c. Accounting procedures

d. Communication documentation

3. Others

D. Define the responsibilities of emergency response team(s).

E. Complete staff responsibility chart for emergency response.

1. Disaster evaluation team (management level)

2. Interim operations team

3. Recovery team

IV. INTEGRATION WITH DEPARTMENT RESPONSE AND RECOVERY PLANNING

A. Specify who is authorized to declare a disaster and activate the information systemsemergency Plan.

MyMIS


B. Define the department’s immediate response actions by referring to the DepartmentSafety Plan for evacuation and notification of staff.

1. Accounting for staff and others in the building.

2. Meeting location of disaster evaluation team.

3. Reaching staff needed for emergency response.

a. List of home telephone numbers

b. Cellular phone

C. The Department Recovery Plan should define “manual” processes that can be useduntil ICT resources are recovered. This need for parallel paper process is beyond theplanning scope of information system group. It needs to be defined by a departmentadministrative recovery team. This plan should:

1. Stock the required forms.

2. Pre-assign batch numbers, queue numbers, work order numbers, service requestnumbers, etc.

3. Document procedures to merge the manually tracked data with the information onthe system once it is restored.

4. Prescribe how the impact of changes in procedures will be clear to customers,vendors, etc.

V. INTERIM OPERATION PLAN - PREARRANGED AGREEMENTS FOR RESOURCE REPLACEMENT

A. Possibilities for alternate site:

1. Other department with similar facilities

2. Other department in the immediate geographical area

3. Computer manufacturer’s facilities (or other suggestions from them)

4. Service bureaus in the immediate area

B. Considerations for alternate site selection:

1. Building type

2. Floor capacity - space and load

3. Raised flooring

4. Electric circuits/ capacity/ special connectors

5. Air conditioning and humidity control

6. Chilled water

7. Fire protection and suppression

8. Security - personnel

9. Security - physical

10. Security - data

11. Communications

a. Telephones.

b. Network between departmental systems and access to other data.

c. Physical access to systems with critical data which are not accessible remotely.

MyMIS


C. Back-up agreements:

1. Written guarantee or contract with other companies.

2. Reciprocal agreements

3. Service bureau commitments

4. Vendor commitments

D. Alternate hardware:

1. Computer and components

a. CPU model

b. Memory

c. Operating system

d. Options

e. Peripherals

2. Network equipment and wiring

3. Terminals

4. Off-line equipment

5. Furniture

6. Office machines (including phones, fax, etc.)

E. Supplies:

1. Paper

2. Forms

3. Disks

4. Tapes

a. Reel

b. Cartridge (type)

F. Off-site moving plans:

1. Transportation of staff

2. Transportation of data and supplies

3. Staff phone list

4. Other

VI. TEST, EVALUATE AND UPDATE THE PLAN

A. Specify periodic testing of the contingency plan to assure processing compatibility:

1. Frequency

2. Scope

3. Test data

4. Test evaluation team

MyMIS


B. Periodically review and update of emergency response documentation:

1. Staff responsibility charts

2. Staff telephone numbers

3. Vendors

4. Software license agreements

5. Alternate site agreements

6. Inventory of computer hardware and software

7. Interim operations procedures

C. Periodically review and drill emergency response and recovery teams:

1. Tabletop exercise to test documentation and communication in controlled environment.

2. Functional exercise to test documentation, communication and procedures in controlledenvironment.

3. Field exercise to test documentation, communication, procedures and logistics ina simulated “real” environment.

VII. RECOVERY AND RESTORATION

A. Permanent site preparation:

1. Building

2. Floor capacity - space and load

3. Raised flooring

4. Electric circuits/ capacity/ special connectors

5. Air conditioning and humidity control

6. Chilled water

7. Fire protection and suppression

8. Security - staff

9. Security - physical

10. Security - data

11. Communications

a. Telephones

b. Network between departmental systems and access to other data

c. Physical access to systems with critical data which are not accessible remotely.

B. Procurement of hardware:

1. Acquisition

2. Computer and components

a. CPU model

b. Memory

c. Operating system

d. Options

e. Peripherals

MyMIS


3. Network equipment and wiring

4. Terminals

5. Off-line equipment

6. Furniture

7. Office machines (including phones, fax, etc. )

C. Supplies:

1. Paper

2. Forms

3. Disks

4. Tapes

a. Reel

b. Cartridge (type)

D. Parallel operations plans.

E. Migration plan

F. Procedures to close down the interim operation

MyMIS

Copyright MAMPU Reference - 1

References

Adams, Anne & Sasse, Martina Angela. 1999. Users Are Not the Enemy (password survey).Communications of the ACM, December v24 i12 p40.

Arahan Keselamatan. Kerajaan Malaysia.

B. Fraser. 1997. IETF RFC 2196 Site Security Handbook.

BSI/DISC Committee BDD/2. 1999. BS 7799-1:1999 Information Security Management, Part 1: Codeof Practice for Information Security Management. London: BSI.

Central Security Group Must Be Given Authority to Enforce VA’s Security Policies. 1999. FederalComputer Market Report, 8 November v23 i21 p8.

Cobb, Michael. 1999. Keep Your Systems Secure. E-Business Advisor, December v17 i12 p41.

Copyright (Amendment) Bill. 1997

Daukantas, Patricia. 2000. Energy labs tighten up. Government Computer News, January v19 i1 p1.

Frank, Diane. 2000. Security problems force EPA off the Internet (Government Activity). NetworkWorld, 21 February.

German Information Security Agency. 1998. German IT Baseline Protection Manual.

Government of Canada. 1997. Canadian Handbook on Information Technology Security (MG9).

Government of Malaysia. 1997. The Civil Service of Malaysia: Building an IT Culture: (improvementsand developments in the civil service of Malaysia 1997). Kuala Lumpur: Percetakan NasionalMalaysia Berhad.

Government of Malaysia. (on-line) http://www.comnet.mt/malwk98r/ses2pap2.htm (10 August 2000).

Hutt, Arthur E.; Bosworth, S. & Hoyt, Douglas B.. 1995. Computer Security Handbook. Ed. ke-3. USA:John Willey & Sons, Inc.

IETF RFC 2196 Site Security Handbook

Ismail, SAC I Mohd Nawawi. 2000. INFOSECURITY 2000: A Conference on Information and NetworkSecurity: Panel 2: Law Enforcement in Cyber Age. The Royal Malaysian Police: Government ofMalaysia.

ISO 13335-1. 1996. GMITS - Concepts and models for IT Security.

ISO 13335-2. 1997. GMITS - Managing and planning IT Security.

ISO 13335-3. 1998. GMITS - Techniques for the management of IT Security.

ISO 13335-4. 2000. GMITS - Selection of safeguards.

ISO 13335-5. GMITS - Management Guidance on Network.

MyMIS


ISO 14516 Guidelines for the Management of Trusted Third Parties

Jabatan Perdana Menteri. 2000. Rangka Dasar Keselamatan Teknologi Maklumat dan Komunikasi(ICT) Kerajaan. Pekeliling Am Bil. 3.

Jabatan Perdana Menteri. 2001. Mekanisme Pelaporan Insiden Keselamatan Teknologi Maklumat DanKomunikasi (ICT). Pekeliling Am Bil. 1.

Johnston, David; Handa, Sunny & Morgan, Charles. 1998. Cyber Law. Selangor: Pelanduk Publications(M) Sdn. Bhd.

Jones, Jennifer. 2000. U.S. cyberattack protection plan draws criticism. Network World, 7 February.

Kaur, Harbans. Proceedings Of Paper Presentations At The International Symposium On “Best PracticeIn Electronic Government” - Session 2 (Legal Infrastructure) Paper II Cyberlaws for ElectronicGovernance - The Malaysian Experience 1998. Attorney General Chambers.

McKerrow, David J. 1997. Canadian Handbook on Information Technology Security. Government ofCanada.

Krause, Micki & Tipton, Harold F. Handbook of Information Security Management (Imprint: AuerbachPublications). CRC Press LLC. Authors: ISBN: 0849399475.

Krebs, Brian. 2000. EPA Takes Down Web Site Due To Security Lapse. Newsbytes, 17 February.

Krill, Paul. 2000. Microsoft vows security commitment on Windows 2000. Network World, 24 January.

McGuire, David. 2000. Government Should Set Cybersecurity Example. Newsbytes, 15 February.

McGuire, David. 2000. Mitnick Points to Computer Security’s Weakest Link. Newsbytes, 2 March.

Md. Din & DSP Mohd. Kamaruddin. 2000. Lecture Notes in ICT Security: Jenayah Komputer. TheRoyal Malaysian Police: Government of Malaysia.

MIMOS Bhd. Malaysian Cyberbills 1998. Kuala Lumpur. (on-line) http://www.mycert.mimos.my/bill.htm(12 August 2000).

Musa, Mohd Adzman; Abdul Aziz, Osman. Reengineering the Public Service-Leadership and Changein an Electronic Age: Part III Chapter 9 Building A Government Infostructure (1999).

National Institute of Standards and Technology, Technology Administration, U.S. Department of Commerce.An Introducation to Computer Security; The NIST Handbook.

Parker, Donn B. Handbook of Information Security Management. Domain 6-Law, Investigation, andEthics: Section 6-1-Legal and Regulatory Issues: Chapter 6-1-1-Computer Abuse Methods andDetection 1997. Auerbach Publications. (on-line) http://www. hackzone.ru/nsp/info/misc/handbook/507-512.html#Heading1 (8 August 2000).

Penafsiran Rekod Awam. Akta Arkib Negara Malaysia No. 44/1966.

Peraturan Penggunaan Mesin Faksimili Di Pejabat-Pejabat Kerajaan. 1993. Surat Pekeliling Am Bil.1.

Prosedur Perlantikan Pakar Runding. 1995. Surat Pekeliling Perbendaharaan Bil. 1.

S.K.Parmar & Cst, N.Cowichan Duncan RCMP Det (cmpl). An Introduction to Security Manual.

MyMIS


Sommer, Peter. 1999. Security must be modernised. Computer Weekly, 25 November p22.

Stone, Martin. 2000. Coolio Busted, SalesGate, Intuit Pilfered. Newsbytes, 3 March.Technical Security Standard for Information Technology (TSSIT) August 1997.

Undang-Undang Malaysia, 1987, 1998, 1999. Kuala Lumpur: Percetakan Nasional Malaysia Berhad.

Verton, Daniel. 1999. Lax Computer Security Helped Chinese Steal Nuke Secrets. Network World,25 October.

Wang, Wallace. 1999. Sources For Security Tools and Information. Boardwatch Magazine, Decemberv13 i12 p128.

Weiss, Aaron. 2000. Act Now to Protect Your Data - Look for Gaps in Network Security and PlugThose Holes to keep cyberthieves at Bay. InformationWeek, 28 February p101.

Welch, Thomas. Handbook of Information Security Management. Domain 6-Law, Investigation, andEthics: Section 6-2-Investigation: Chapter 6-2-1-Computer Crime Investigation and ComputerForensics 1997. Auerbach Publications. (on-line) http://www.hackzone.ru/nsp/info/misc/handbook/549-553.html#Heading3 (8 August 2000).

MyMIS

Copyright MAMPU Glossary - 1

Glossary

AI Artificial IntelligenceThis is a branch of computer science that is concerned with the automation ofintelligent behavior based on sound theoretical and applied principles, which includedata structures, used in knowledge representation, the algorithms and the languagesand programming techniques used in their implementation.

Audit Trail This is a process of identifying the actions taken in processing input data or inpreparing an output such that data on a source document can be traced forwardto an output and an output can be traced back to the source items from which itis derived.

Authenticate This is to verify the identity of a user, device, or entity in a computer system, oftenas a prerequisite to allow access to resources in a system.

Authorisation This is the granting of access rights to a user, program, or process.

Back-up This refers to equipment, procedures, and extra copies of data that are availablefor use in the event of failure of normally used equipment or procedures.

Biometrics This is a method of verifying an individual’s identity by analysing a unique physicalattribute of a specific individual, including fingerprints, hand geometry, retinal scanning,voice verification, or signature dynamics.

BSA Business Software AllianceThis is the voice of companies developing the software, hardware and technologiesbuilding the Internet and electronic commerce.

CA Certification AuthorityThis is a trusted entity that issues and revokes public key certificates and certificaterevocation lists.

Checksum This is a method of error detection that is a summation of all the bits in a messageand contained in the message

DMZ DeMilitarised ZoneThis is a part of a network that is protected by a firewall, by maybe accessed byexternal Internet clients.

Degauss This is the act of de-magnetising a CRT monitor or magnetic media.

Dial-up This is the service whereby a computer terminal can use the telephone to initiateand effect communication with a computer.

DRP Disaster Recovery/Contingency PlanA plan for emergency response, back-up operations and post-disaster recoverymaintained by an activity as a part of its security programme that will ensure theavailability of critical resources and facilitate the continuity of operations in an emergencysituation.

EDI Electronic Data InterchangeThis is a set of protocols for conducting highly structured inter-organization exchanges,such as for making purchases or initiating loan request.

MyMIS


GCERT Government Computer Emergency Response TeamIt is a special team located at MAMPU responsible for handling all reported incidents.

GMITS Guidelines for the Management of IT SecurityThis is the ISO 13335, Part 1 to part 3.

Hacker This is a term used to designate an individual who, without authorisation, attemptsto gain access to a computer system.

Hashing This is the process of using an algorithm to convert key values into storage addressesfor the purpose of direct access storage and retrieval of information.

ICT Information and Communications TechnologyA terminology used in association with technology related to information andcommunications.

ICTSO ICT Security OfficerA person who is appointed by a Ministry/Department, in charge of the development,implementation and maintenance of the Public Sector ICT Security programmes ofthe department.

IDS Intrusion Detection SystemIt is a device that monitor or record information being transmitted on a network

IP Intellectual PropertyThis IP refers to any base of knowledge that was developed for a particular companyor entity.

ISDN Integrated Systems Digital NetworkThis is a digital line that is often used to connect to the Internet

ISP Internet Service ProviderAn ISP provides Internet access to people or corporations. ISPs generally havepools of modems awaiting dial-up connections.

ITSEC European IT Security Standard Evaluation and Criteria

LAN Local Area NetworkA network of computers confined within a small area such as an office building.

MRP Memory Resident ProgramIt is a program that is loaded into memory where it remains after it finishes its task,until it is explicitly removed or until the computer is turned off or reset.

MSC Multimedia Super CorridorA world-first, world-class act - to help companies of the world test the limits oftechnology and prepare themselves for the future.

Official Official information includes any information that relates to any public service.Information

a. Official Secret“official secret” means any document specified in the Schedule and any informationand material relating thereto and includes any other official document, informationand material as may be classified as “Rahsia Besar”, “Secret”, “Confidential” or“Restricted”, as the case may be, by a Minister, the Menteri Besar or ChiefMinister of a State or such public officer appointed under section 2B OfficialSecrets Act 1972

MyMIS


b. Schedule under Official Secrets Act 1972Cabinet documents, records of decisions and deliberations including those ofcabinet committees;State Executive Council documents, records of decisions and deliberations includingthose of State Executive Council committees;Documents concerning national security, defence and international relations.

c. DeclassificationDeclassification of official secret by a Minister or a public officer, may at anytime ceases to be official secret under section 2C, Official Secrets Act 1972

d. Physical SecurityPhysical Security means the physical protection afforded to classified materialor critical and sensitive government information processing facilities and to buildingsand their occupants.

Orange Book Alternate name for TCSEC.

Patching This is a method of correcting or modifying a program in a rough or expedient wayby adding new sections of coding.

PBX Private Branch ExchangeThis is a private telephone switch used within a company that allows inter-companytelephone calls without using outside lines.

PKI Public Key InfrastructureA PKI is the combination of software, encryption technologies, and services thatenables organisations to protect the security of their communications and businesstransactions on the Internet.

PPD Port Protection DeviceA PPD is an external device fitted to a communications port of a host computerthat provides the function of authorising access to the port itself, prior to and independentof the computer’s own access control functions.

SDLC Software Development Life CycleA life cycle that outlines a careful, engineering approach to the development ofsoftware to take.

Secured It is an equipment to be used while transmitting data and/or information via facsimilesuch as encryptor device.

SPA Security Posture AssessmentThe SPA is meant to establish the current baseline security of the network andsystems by discovering known vulnerabilities and weaknesses, with the intention ofproviding incremental improvements to tighten the security of the network and systems.

TCSEC Trusted Computer Security Evaluation CriteriaThe document published by the National Computer Security Center, US containinga uniform set of basic requirements and evaluation classes for assessing degreesof assurance in the effectiveness of hardware and software security controls builtinto systems.Also known as ‘The Orange Book’.

TTP Trusted Third PartyIt is an entity mutually trusted by other entities.

MyMIS


UPS Uninterruptible Power SupplyThis is a device that contains a battery and some circuitry to supply the computerwith power for a limited time (depending on the battery) if there is any sort ofinterruption in the outlet power.

VPN Virtual Private NetworkA VPN is a private data network that makes use of the public telecommunicationinfrastructure, maintaining privacy with a tunnelling protocol and other securityprocedures.

MyMIS


PRINTED BYPERCETAKAN NASIONAL MALAYSIA BERHAD,KUALA LUMPUR BRANCH2002

MALAYSIAN PUBLIC SECTOR MANAGEMENT OF...

Documents

Transcript of MALAYSIAN PUBLIC SECTOR MANAGEMENT OF...